[Snort-devel] How is this a IMAP buffer overflow

npkg at ...1093... npkg at ...1093...
Thu Jan 24 04:00:03 EST 2002


Hello Everyone,
      I am a new user of Snort. First of all I would like to appreciate the
developers for bringing out such a wonderful system. As I was reading the
users manual, I came across a rule that goes like this :

        activate tcp !$HOME_NET any -> $HOME_NET 143 (flags: PA; \
           content: "|E8C0FFFFFF|\bin|" ; activates : 1; \
            msg: "IMAP buffer overflow!";)
   dynamic tcp !$HOME_NET any -> $HOME_NET 143 (activated_by: 1;count: 50;)

 This rule states snort to altert when there is a buffer overflow, and log
the next 50 packets.
      I did not understand how the content value can be intrepreted as a
buffer overflow. Any help in this regard would be vary much appreciated.
               Thank you
                                          Gangadhar



-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/






More information about the Snort-devel mailing list