[Snort-sigs] Sid:1845 IMAP list overflow attempt
scheidell at ...249...
Thu Feb 27 04:46:05 EST 2003
> I'm getting a lot of hits on this rule, and they appear to be legitimate
> traffic. Unfortunately, I'm not geeky enough to translate hex to asci
> and make sense of the content stuff, so maybe one of you who is can help
> Here's the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow
> attempt"; flow:established,to_server; content:" LIST |22 22| "; nocase;
> content:!"|0a|"; within:1024; reference:nessus,10374;
> reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:5;)
I noticed that the snort 2.0 rule (still rev 5?) doesn't have the !"|0a|"
in it, but does add this:
are then mutually exclusive? shoud the !"|0a|" be added to the 2.0 rules
and rev bumped to 6?
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
More information about the Snort-sigs