[Snort-sigs] False +ve from a couple of new rules.
scheidell at ...249...
Sun Aug 11 14:30:02 EDT 2002
> Anyway what I have done here is to list the rule and a packet capture or
> two, that I believe to be a false positive:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
> msg:"EXPERIMENTAL IMAP list overflow attempt";
> content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024;
> reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)
In both packets, I see the LIST, the 0x22 0x22 and later on, the 0x0a,
so, snort is doing what it should (I don't know what distance is either)
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
More information about the Snort-sigs