[Snort-sigs] Sid:1845 IMAP list overflow attempt

Michael Scheidell scheidell at ...249...
Thu Feb 27 04:46:05 EST 2003

> I'm getting a lot of hits on this rule, and they appear to be legitimate
> traffic.  Unfortunately, I'm not geeky enough to translate hex to asci
> and make sense of the content stuff, so maybe one of you who is can help
> me.
> Here's the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
> attempt"; flow:established,to_server; content:" LIST |22 22| "; nocase;
> content:!"|0a|"; within:1024; reference:nessus,10374;
> reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:5;)

I noticed that the snort 2.0 rule (still rev 5?) doesn't have the !"|0a|"
in it, but does add this:

within:1024; byte_test:5,>,256,string,dec,relative; 

are then mutually  exclusive? shoud the !"|0a|" be added to the 2.0 rules
and rev bumped to 6?

Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net

More information about the Snort-sigs mailing list