[Snort-sigs] Signatures related to POP3 overflow attempt

Erik Alexander Løkken eal at ...835...
Thu May 15 15:46:05 EDT 2003


I'm experiencing alot of false positives 
related to the different signatures related to POP3 overflow
attempts. After looking through the signatures I could understand
why. 

For example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)

This signature will alert if for example a username includes the 
top in the name. And without an termination within 10. This is 
something that is not unlikely to happen. I've experienced several 
false positives related to this. I've also experienced
similar problems with all of the POP3 signatures related to 
POP3 commands and overflows. 

Since all of these signatures is related to POP3 commands. Would'nt it 
be possible to add depth 4 and offset 0 after the command?

For example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP "; offset:0; depth:4; nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)

/erik




More information about the Snort-sigs mailing list