[Snort-sigs] Sid:1845 IMAP list overflow attempt
Kenneth G. Arnold
bkarnold at ...1280...
Wed Feb 26 18:27:01 EST 2003
There is a ! character in front of the |0a| which means that there is no
|0a| character within the first 1024 bytes. This would be the case if
someone were trying to overflow something. There would be a very large
distance to the |0a| character.
On Wed, 26 Feb 2003, Schmehl, Paul L wrote:
> Wait a minute. Maybe I'm not understanding the meaning of within. The
> rule reads:
> content:" LIST |22 22| "; nocase; content:!"|0a|"; within:1024;
> Wouldn't this mean that if you find a new line within the first 1024
> bytes the rule triggers?
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> -----Original Message-----
> From: Kenneth G. Arnold [mailto:bkarnold at ...1280...]
> Sent: Wednesday, February 26, 2003 6:50 PM
> To: Schmehl, Paul L
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Sid:1845 IMAP list overflow attempt
> I have disabled this rule also for the same reasons along with a whole
> lot of others. The rule is looking for "LIST" and no line feedi/new
> line hex
> |0a| within 1024 bytes. You example shows that "LIST" is definitely
> present. You also show a line feed character and it is the 22nd
> character. Theoretically this signature should not have fired.
> Unfortunately the within portion of the rule is broken in the stable
> version of 1.9.0 so it fires anyway. I have read that if you upgrade to
> the very latest version bleeding edge (I am not quite sure where you
> this.) this problem has been fixed.
More information about the Snort-sigs