[Snort-sigs] Sid:1845 IMAP list overflow attempt

Schmehl, Paul L pauls at ...1311...
Wed Feb 26 17:20:04 EST 2003

Wait a minute.  Maybe I'm not understanding the meaning of within.  The
rule reads:
content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;

Wouldn't this mean that if you find a new line within the first 1024
bytes the rule triggers?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold at ...1280...] 
Sent: Wednesday, February 26, 2003 6:50 PM
To: Schmehl, Paul L
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Sid:1845 IMAP list overflow attempt

I have disabled this rule also for the same reasons along with a whole
lot of others.  The rule is looking for "LIST" and no line feedi/new
line hex
|0a| within 1024 bytes. You example shows that "LIST" is definitely
present.  You also show a line feed character and it is the 22nd
character.  Theoretically this signature should not have fired.
Unfortunately the within portion of the rule is broken in the stable
version of 1.9.0 so it fires anyway.  I have read that if you upgrade to
the very latest version bleeding edge (I am not quite sure where you
this.) this problem has been fixed.

More information about the Snort-sigs mailing list