[Snort-sigs] False +ve from a couple of new rules.

Russell Fulton r.fulton at ...575...
Sun Aug 11 13:13:01 EDT 2002


Hi,
 I am running snort 1.9.0beta2 (Build 184) and I am getting lots of
false positives on some new rules.  I an not sure if this is a problem
with the rules or a problem with snort.  I notice that both of these
rules use 'distance' which I can't find in the documentation, persumably
another new feature in 1.9.  

Anyway what I have done here is to list the rule and a packet capture or
two, that I believe to be a false positive:  

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
msg:"EXPERIMENTAL IMAP list overflow attempt";
flow:established,to_server; 
content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024; 
reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)


[**] EXPERIMENTAL IMAP list overflow attempt [**]
08/09-02:05:24.830547 203.167.148.240:65500 -> 130.216.191.126:143
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:270
***AP*** Seq: 0x6FA2D693  Ack: 0x9E016CD2  Win: 0x16A0  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10 
....1q...F\...E.
0x0010: 01 0E 00 00 00 00 F0 06 00 00 CB A7 94 F0 82 D8 
................
0x0020: BF 7E FF DC 00 8F 6F A2 D6 93 9E 01 6C D2 50 18 
.~....o.....l.P.
0x0030: 16 A0 00 00 00 00 41 30 30 30 20 43 41 50 41 42  ......A000
CAPAB
0x0040: 49 4C 49 54 59 0D 0A 41 30 30 31 20 4C 4F 47 49  ILITY..A001
LOGI
0x0050: 4E 20 22 6D 64 75 73 30 30 31 22 20 22 32 30 34  N "mdus001"
"204
0x0060: 31 30 38 34 22 0D 0A 41 30 30 32 20 4C 49 53 54  1084"..A002
LIST
0x0070: 20 22 22 20 22 22 0D 0A 41 30 30 33 20 43 41 50   "" ""..A003
CAP
0x0080: 41 42 49 4C 49 54 59 0D 0A 41 30 30 34 20 53 45  ABILITY..A004
SE
0x0090: 4C 45 43 54 20 22 49 4E 42 4F 58 22 0D 0A 41 30  LECT
"INBOX"..A0
0x00A0: 30 35 20 46 45 54 43 48 20 31 39 20 28 55 49 44  05 FETCH 19
(UID
0x00B0: 29 0D 0A 41 30 30 36 20 55 49 44 20 46 45 54 43  )..A006 UID
FETC
0x00C0: 48 20 39 34 37 3A 2A 20 28 55 49 44 20 46 4C 41  H 947:* (UID
FLA
0x00D0: 47 53 29 0D 0A 41 30 30 37 20 55 49 44 20 46 45  GS)..A007 UID
FE
0x00E0: 54 43 48 20 39 34 37 20 28 55 49 44 20 46 4C 41  TCH 947 (UID
FLA
0x00F0: 47 53 20 49 4E 54 45 52 4E 41 4C 44 41 54 45 20  GS INTERNALDATE
0x0100: 52 46 43 38 32 32 2E 53 49 5A 45 20 52 46 43 38  RFC822.SIZE
RFC8
0x0110: 32 32 2E 48 45 41 44 45 52 29 0D 0A              22.HEADER)..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] EXPERIMENTAL IMAP list overflow attempt [**]
08/09-02:06:41.397150 203.167.148.240:65500 -> 130.216.191.126:143
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:147
***AP*** Seq: 0x9E016D3E  Ack: 0x6FA2E1AD  Win: 0x8218  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10 
....1q...F\...E.
0x0010: 00 93 00 00 00 00 F0 06 00 00 CB A7 94 F0 82 D8 
................
0x0020: BF 7E FF DC 00 8F 9E 01 6D 3E 6F A2 E1 AD 50 18 
.~......m>o...P.
0x0030: 82 18 00 00 00 00 41 30 30 38 20 53 45 4C 45 43  ......A008
SELEC
0x0040: 54 20 22 49 4E 42 4F 58 22 0D 0A 41 30 30 39 20  T "INBOX"..A009
0x0050: 4C 49 53 54 20 22 22 20 22 49 4E 42 4F 58 2A 22  LIST ""
"INBOX*"
0x0060: 0D 0A 41 30 31 30 20 4C 53 55 42 20 22 22 20 22  ..A010 LSUB ""
"
0x0070: 49 4E 42 4F 58 2A 22 0D 0A 41 30 31 31 20 46 45  INBOX*"..A011
FE
0x0080: 54 43 48 20 31 3A 2A 20 28 55 49 44 20 46 4C 41  TCH 1:* (UID
FLA
0x0090: 47 53 29 0D 0A 41 30 31 32 20 4C 4F 47 4F 55 54  GS)..A012
LOGOUT
0x00A0: 0D                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
I've sanitized the packet dump below to remove authentication token.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
msg:"EXPERIMENTAL IMAP authenticate overflow attempt"; 
flow:established,to_server; content:" AUTHENTICATE "; nocase;
content:"|0a|"; 
distance:1024; reference:nessus,10292; reference:cve,CVE-1999-0042;
sid:1844; 
rev:1;)

[**] EXPERIMENTAL IMAP authenticate overflow attempt [**]
08/09-02:18:08.285641 172.132.184.188:3477 -> 130.216.208.1:143
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:196
***AP*** Seq: 0xA326AFDE  Ack: 0x1919380A  Win: 0x0  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10 
....1q...F\...E.
0x0010: 00 C4 00 00 00 00 F0 06 00 00 AC 84 B8 BC 82 D8 
................
0x0020: D0 01 0D 95 00 8F A3 26 AF DE 19 19 38 0A 50 18 
.......&....8.P.
0x0030: 00 00 00 00 00 00 31 20 61 75 74 68 65 6E 74 69  ......1
authenti
0x0040: 63 61 74 65 20 6C 6F 67 69 6E 0D 0A XX XX XX XX  cate
login..xxxx
0x0050: XX XX XX XX XX XX XX XX 0D 0A XX XX XX XX XX XX 
xxxxxxxx..xxxxxx
0x0060: XX XX XX XX XX XX 0D 0A 32 20 73 65 6C 65 63 74  xxxxx=..2
select
0x0070: 20 22 69 6D 61 70 2F 54 72 61 73 68 22 0D 0A 33  
"imap/Trash"..3
0x0080: 20 73 74 6F 72 65 20 31 3A 2A 20 2B 46 4C 41 47   store 1:*
+FLAG
0x0090: 53 2E 53 49 4C 45 4E 54 20 28 5C 44 65 6C 65 74  S.SILENT
(\Delet
0x00A0: 65 64 29 0D 0A 34 20 65 78 70 75 6E 67 65 0D 0A  ed)..4
expunge..
0x00B0: 35 20 6C 69 73 74 20 22 22 20 22 69 6D 61 70 2F  5 list ""
"imap/
0x00C0: 54 72 61 73 68 2F 2A 22 0D 0A 36 20 63 6C 6F 73  Trash/*"..6
clos
0x00D0: 65 0D                                            e.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-sigs mailing list