[Snort-sigs] False +ve from a couple of new rules.

Michael Scheidell scheidell at ...249...
Sun Aug 11 14:30:02 EDT 2002

> Anyway what I have done here is to list the rule and a packet capture or
> two, that I believe to be a false positive:  
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
> msg:"EXPERIMENTAL IMAP list overflow attempt";
> flow:established,to_server; 
> content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024; 
> reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)

In both packets, I see the LIST, the 0x22 0x22 and later on, the 0x0a,
so, snort is doing what it should (I don't know what distance is either)

Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?

More information about the Snort-sigs mailing list