[Snort-devel] False triggers with 1.9 release

Russell Fulton r.fulton at ...1343...
Tue Oct 22 09:06:02 EDT 2002


Hi All,
	I've just installed the release version of 1.9.0 and noticed some rules
being triggered inappropriately:

[**] EXPERIMENTAL IMAP list overflow attempt [**]
10/21-21:47:17.100278 210.48.17.1:1028 -> 130.216.239.8:143
TCP TTL:56 TOS:0x20 ID:27941 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0x39490456  Ack: 0xC6124F5A  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 335924 49095483 
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 20  ....1q...F\...E 
0x0010: 00 42 6D 25 40 00 38 06 80 5E D2 30 11 01 82 D8  .Bm%@.8..^.0....
0x0020: EF 08 04 04 00 8F 39 49 04 56 C6 12 4F 5A 80 18  ......9I.V..OZ..
0x0030: 82 18 BD 4F 00 00 01 01 08 0A 00 05 20 34 02 ED  ...O........ 4..
0x0040: 23 3B 33 20 4C 49 53 54 20 22 22 20 22 22 0D 0A  #;3 LIST "" ""..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The rule for this is:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"EXPERIMENTAL IMAP
list overflow attempt"; flow:established,to_server; content:" LIST |22
22| "; nocase; content:!"|0a|"; within:1024; reference:nessus,10374;
reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:4;)

I am having the same problem with both sid 1844 and 1845.

Anyone have any idea what is going on?

Previously I was running beta-6 and I did not notice this problem.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list