[Snort-sigs] Sid 1634 - more FPs

Schmehl, Paul L pauls at ...1311...
Thu Feb 27 19:29:14 EST 2003


alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

This rule looks for a linefeed within 50 bytes of the password.  What
I'm seeing is clients who send a CR/LF immediately after the password,
which should not trigger this alert, right?  Yet it's being triggered.
Is this a known problem?

I'm using ver 1.9.0 Build 290 on FreeBSD 4.7.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list