[Snort-sigs] Problem with pop3.rules and ftp.rules

Jens Krabbenhoeft tschenz-snort-sigs at ...1099...
Tue Feb 11 07:00:10 EST 2003


> alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow 
> attempt"; flow:to_server,established; content:"USER "; nocase; 
> content:!"|0a|"; within:50; reference:bugtraq,789; 
> reference:cve,CVE-1999-0494; reference:nessus,10311; 
> classtype:attempted-admin; sid:1866; rev:4;)

> Note the content part.  content:!"|0a|";  0a should be legit if it's 
> WITHIN 50 bytes, but instead, there is an inversion (if I read these 
> right) to not within 50 bytes.  If that's the case, legit passwords are 

The rule matches packets which have "USER " in it, and no "|0a|" within
the next 50 bytes. Thus it alerts on passwords longer than 50bytes (or
as intended overflow attempts).

There might be false positives if you have clients that do not send
CR/LF at the end of the line (broken clients *g*). Some builds of snort
2.0 had an off-by-one bug in stream4 which caused snort to chop off the
|0a| at the end, giving false positives too (don't know if that applies
to 1.9.0 and/or SNORT_1_9 from cvs).


More information about the Snort-sigs mailing list