[Snort-sigs] false +ves for IMAP login overflow (SID 1993)

Russell Fulton r.fulton at ...575...
Sun Jun 8 20:42:02 EDT 2003


alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal
buffer overflow attempt"; flow:established,to_server; content:" LOGIN ";
content:" {"; distance:0; nocase;
byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298;
classtype:misc-attack; sid:1993; rev:3;) 

I am getting about a dozen FPs a day on this rule, bere is a typical
trigger stream:

000 : 30 30 32 50 20 43 41 50 41 42 49 4C 49 54 59 0D   002P CAPABILITY.
010 : 0A 30 30 32 51 20 4C 4F 47 49 4E 20 22 6C 73 61   .002Q LOGIN "lsa
020 : 6E 30 31 33 22 20 22 xx xx xx xx xx xx xx xx 22   n013" "xxxxxxxx"
030 : 0D 0A 30 30 32 53 20 49 44 4C 45 0D 0A 44 4F 4E   ..002S IDLE..DON
040 : 45 0D 0A 30 30 32 54 20 41 50 50 45 4E 44 20 22   E..002T APPEND "
050 : 53 65 6E 74 20 49 74 65 6D 73 22 20 28 5C 53 65   Sent Items" (\Se
060 : 65 6E 29 20 22 20 39 2D 4A 75 6E 2D 32 30 30 33   en) " 9-Jun-2003
070 : 20 31 31 3A 34 37 3A 32 37 20 2B 31 32 30 30 22    11:47:27 +1200"
080 : 20 7B 33 36 39 39 7D 0D 0A                         {3699}..

I understand what the rule tests, but since I am not that familiar with
the IMAP protocol details I can not fathom its intent.  The byte test is
clearly triggering on the "{3699}.." (3699 > 256) but this is not part
of the LOGIN command which is terminated by the 0D0A at 030.

Is the problem that there is no way of constraining the search for '{'
to stop when it finds command terminator?


-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list