[Snort-sigs] False +ve from a couple of new rules.

Michael Scheidell scheidell at ...249...
Sun Aug 11 14:30:02 EDT 2002


> Anyway what I have done here is to list the rule and a packet capture or
> two, that I believe to be a false positive:  
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (
> msg:"EXPERIMENTAL IMAP list overflow attempt";
> flow:established,to_server; 
> content:" LIST |22 22| "; nocase; content:"|0a|"; distance:1024; 
> reference:nessus,10374; reference:cve,CAN-2000-0284; sid:1845; rev:1;)

In both packets, I see the LIST, the 0x22 0x22 and later on, the 0x0a,
so, snort is doing what it should (I don't know what distance is either)

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/




More information about the Snort-sigs mailing list