[Snort-sigs] false +ves for IMAP login overflow (SID 1993)

Russell Fulton r.fulton at ...575...
Mon Jun 9 14:38:08 EDT 2003


On Tue, 2003-06-10 at 01:37, Brian wrote:

> > Is the problem that there is no way of constraining the search for '{'
> > to stop when it finds command terminator?
> 
> Yeap.  This would be useful.  Perhaps if/when some type of regex is 
> available, this can be accomplished with the regexes.

.... alt_content "0d0a", "{": abort : continue; byte_test....

I have no idea how feasible this is to implement in the constraints of
the current matching engine.

This type of problem is causing FPs with many rules now, sigh... 

A couple of other ideas that would probably be much easier and more
efficient than a full REs which would deal with most of the problematic
cases.

Hmmm.... I wonder if it could be done with a preprocessor that worked on
specific ports (like the telnet and http preprocessors) which split the
commands up before feeding them to the pattern matching engine. There
are quite a few important protocols that use odoa as their record
delimiter....

Another way to do it would be to have a special version of content  that
terminated on 0d0a.

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list