[Snort-sigs] Sid:1845 IMAP list overflow attempt

Kenneth G. Arnold bkarnold at ...1280...
Wed Feb 26 16:51:11 EST 2003


I have disabled this rule also for the same reasons along with a whole lot
of others.  The rule is looking for "LIST" and no line feedi/new line hex
|0a| within 1024 bytes. You example shows that "LIST" is definitely
present.  You also show a line feed character and it is the 22nd
character.  Theoretically this signature should not have fired.
Unfortunately the within portion of the rule is broken in the stable
version of 1.9.0 so it fires anyway.  I have read that if you upgrade to
the very latest version bleeding edge (I am not quite sure where you find
this.) this problem has been fixed.

Ken

On Wed, 26 Feb 2003, Schmehl, Paul L wrote:

> I'm getting a lot of hits on this rule, and they appear to be legitimate
> traffic.  Unfortunately, I'm not geeky enough to translate hex to asci
> and make sense of the content stuff, so maybe one of you who is can help
> me.
>
> Here's the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
> attempt"; flow:established,to_server; content:" LIST |22 22| "; nocase;
> content:!"|0a|"; within:1024; reference:nessus,10374;
> reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:5;)
>
> If I understand this rule, it's looking for space - LIST - double quote
> - double quote and not an "nl" within 1024 bytes.  What is an "nl"?
>
> And here's the payload from one example that triggered the rule:
>   length = 22
>
> 000 : 31 39 35 35 20 4c 49 53 54 20 22 22 20 22 71 75    1955 LIST ""
> "qu
> 010 : 65 73 74 22 0D 0A                                  uest"..
>
> Every one I've looked at (and there are many) has this LIST command in
> it and appears to be asking for bulletin boards that actually exist on
> our IMAP server.
>
> Here's another one:
>   length = 40
>
> 000 : 31 31 30 39 32 31 20 4c 49 53 54 20 22 22 20 22    110921 LIST ""
> "
> 010 : 53 68 61 72 65 64 5F 46 6F 6C 64 65 72 73 2E 61
> Shared_Folders.a
> 020 : 73 73 69 73 64 22 0D 0A                            assist"..
>
> I'm going to disable this rule anyway, because it's looking for a buffer
> overflow in UW imapd, which we don't run, so don't do a bunch of
> research if you don't already know.  I'm just trying to understand
> rulemaking a little better.  So if you know what "nl" is, tell me.
> Otherwise don't waste your precious time trying to figure it out.
>
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list