[Snort-sigs] Sid 1634 - more FPs

Schmehl, Paul L pauls at ...1311...
Thu Feb 27 19:29:14 EST 2003


pop3.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:50; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

This rule looks for a linefeed within 50 bytes of the password.  What
I'm seeing is clients who send a CR/LF immediately after the password,
which should not trigger this alert, right?  Yet it's being triggered.
Is this a known problem?

I'm using ver 1.9.0 Build 290 on FreeBSD 4.7.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/





More information about the Snort-sigs mailing list