[Snort-sigs] Problem with pop3.rules and ftp.rules

Andrew J. Hobbs andrew at ...1279...
Tue Feb 11 06:41:06 EST 2003

After updating the ruleset, ftp.rules (v 2003/02/07 22:04:50) 
reports a positive hit every time a legitimate FTP session is 
established.  Likewise for pop3.rules (v 2002/11/17 04:40:09) 
reports a false positive for connections to our pop server as well.

The specific culprit seems to be an inverted rule.  Preface: I've used 
snort for a long time in a configure-hands off kind of way, so rule 
design is NOT my bag.  This is strictly shoot from hip sort of 

SID: 1866
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow 
attempt"; flow:to_server,established; content:"USER "; nocase; 
content:!"|0a|"; within:50; reference:bugtraq,789; 
reference:cve,CVE-1999-0494; reference:nessus,10311; 
classtype:attempted-admin; sid:1866; rev:4;)

Note the content part.  content:!"|0a|";  0a should be legit if it's 
WITHIN 50 bytes, but instead, there is an inversion (if I read these 
right) to not within 50 bytes.  If that's the case, legit passwords are 
flagged as a priority one exploit attempt.  This is in fact the 
behavior we're seeing as every attempt to check mail sends up a red 
alert flag.  The problems with FTP.RULES are very similar.

Any light shed would be appreciated.  Am I right in this?  Or totally 
offbase.... If offbase then why the heck are we redflagging legit users?


More information about the Snort-sigs mailing list