[Snort-sigs] Sid:1845 IMAP list overflow attempt

Russell Fulton r.fulton at ...575...
Wed Feb 26 17:35:14 EST 2003

On Thu, 2003-02-27 at 14:19, Schmehl, Paul L wrote:
> Wait a minute.  Maybe I'm not understanding the meaning of within.  The
> rule reads:
> content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;
> Wouldn't this mean that if you find a new line within the first 1024
> bytes the rule triggers?

There is a not (!) in there so rule reads "list followed by *no* |oa|
within 1024"

The bug that was fixed recently was one in stream4 which caused the last
byte of the packet to be lost and this was sometime the |oa| causing the
rule to fire.

Were the packet dumps generated by snort or something else.  If they are
from snort then this is odd since they show both the CR and LF.

The bug is fixed in latest 1.9.0 snapshot that I have been running
without problems for the last few weeks.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list