[Snort-sigs] Sid:1845 IMAP list overflow attempt

Kenneth G. Arnold bkarnold at ...1280...
Wed Feb 26 18:27:01 EST 2003

There is a ! character in front of the |0a| which means that there is no
|0a| character within the first 1024 bytes. This would be the case if
someone were trying to overflow something.  There would be a very large
distance to the |0a| character.


On Wed, 26 Feb 2003, Schmehl, Paul L wrote:

> Wait a minute.  Maybe I'm not understanding the meaning of within.  The
> rule reads:
> content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;
> Wouldn't this mean that if you find a new line within the first 1024
> bytes the rule triggers?
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: Kenneth G. Arnold [mailto:bkarnold at ...1280...]
> Sent: Wednesday, February 26, 2003 6:50 PM
> To: Schmehl, Paul L
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Sid:1845 IMAP list overflow attempt
> I have disabled this rule also for the same reasons along with a whole
> lot of others.  The rule is looking for "LIST" and no line feedi/new
> line hex
> |0a| within 1024 bytes. You example shows that "LIST" is definitely
> present.  You also show a line feed character and it is the 22nd
> character.  Theoretically this signature should not have fired.
> Unfortunately the within portion of the rule is broken in the stable
> version of 1.9.0 so it fires anyway.  I have read that if you upgrade to
> the very latest version bleeding edge (I am not quite sure where you
> find
> this.) this problem has been fixed.

More information about the Snort-sigs mailing list