[Snort-sigs] false +ves for IMAP login overflow (SID 1993)

Brian bmc at ...95...
Mon Jun 9 06:38:18 EDT 2003


On Mon, Jun 09, 2003 at 03:40:59PM +1200, Russell Fulton wrote:
> 000 : 30 30 32 50 20 43 41 50 41 42 49 4C 49 54 59 0D   002P CAPABILITY.
> 010 : 0A 30 30 32 51 20 4C 4F 47 49 4E 20 22 6C 73 61   .002Q LOGIN "lsa
> 020 : 6E 30 31 33 22 20 22 xx xx xx xx xx xx xx xx 22   n013" "xxxxxxxx"
> 030 : 0D 0A 30 30 32 53 20 49 44 4C 45 0D 0A 44 4F 4E   ..002S IDLE..DON
> 040 : 45 0D 0A 30 30 32 54 20 41 50 50 45 4E 44 20 22   E..002T APPEND "
> 050 : 53 65 6E 74 20 49 74 65 6D 73 22 20 28 5C 53 65   Sent Items" (\Se
> 060 : 65 6E 29 20 22 20 39 2D 4A 75 6E 2D 32 30 30 33   en) " 9-Jun-2003
> 070 : 20 31 31 3A 34 37 3A 32 37 20 2B 31 32 30 30 22    11:47:27 +1200"
> 080 : 20 7B 33 36 39 39 7D 0D 0A                         {3699}..


> I understand what the rule tests, but since I am not that familiar with
> the IMAP protocol details I can not fathom its intent.  The byte test is
> clearly triggering on the "{3699}.." (3699 > 256) but this is not part
> of the LOGIN command which is terminated by the 0D0A at 030.

Basicly, yes.  They are doing an append to the "Sent Items" folder of
a message of size 3699.  Those 

> Is the problem that there is no way of constraining the search for '{'
> to stop when it finds command terminator?

Yeap.  This would be useful.  Perhaps if/when some type of regex is 
available, this can be accomplished with the regexes.

-brian




More information about the Snort-sigs mailing list