[Snort-sigs] Sid:1845 IMAP list overflow attempt

Schmehl, Paul L pauls at ...1311...
Wed Feb 26 14:53:15 EST 2003


I'm getting a lot of hits on this rule, and they appear to be legitimate
traffic.  Unfortunately, I'm not geeky enough to translate hex to asci
and make sense of the content stuff, so maybe one of you who is can help
me.

Here's the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
attempt"; flow:established,to_server; content:" LIST |22 22| "; nocase;
content:!"|0a|"; within:1024; reference:nessus,10374;
reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:5;)

If I understand this rule, it's looking for space - LIST - double quote
- double quote and not an "nl" within 1024 bytes.  What is an "nl"?

And here's the payload from one example that triggered the rule:
  length = 22

000 : 31 39 35 35 20 4c 49 53 54 20 22 22 20 22 71 75    1955 LIST ""
"qu
010 : 65 73 74 22 0D 0A                                  uest"..

Every one I've looked at (and there are many) has this LIST command in
it and appears to be asking for bulletin boards that actually exist on
our IMAP server.

Here's another one:
  length = 40

000 : 31 31 30 39 32 31 20 4c 49 53 54 20 22 22 20 22    110921 LIST ""
"
010 : 53 68 61 72 65 64 5F 46 6F 6C 64 65 72 73 2E 61
Shared_Folders.a
020 : 73 73 69 73 64 22 0D 0A                            assist"..

I'm going to disable this rule anyway, because it's looking for a buffer
overflow in UW imapd, which we don't run, so don't do a bunch of
research if you don't already know.  I'm just trying to understand
rulemaking a little better.  So if you know what "nl" is, tell me.
Otherwise don't waste your precious time trying to figure it out.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/





More information about the Snort-sigs mailing list