Fw: [Snort-sigs] Signatures related to POP3 overflow attempt

operator operator at ...1493...
Fri May 16 06:25:03 EDT 2003


Sorry,

just to go on. Maybe the offset keyword could be kept off and the rule
should sound like:

 alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow
 attempt"; flow:to_server,established; content:"TOP "; depth:4; nocase;
 content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)

M.

 ----- Original Message -----
> From: "Erik Alexander Løkken" <eal at ...835...>
> To: <snort-sigs at lists.sourceforge.net>
> Sent: Friday, May 16, 2003 12:45 AM
> Subject: [Snort-sigs] Signatures related to POP3 overflow attempt
>
>
> > I'm experiencing alot of false positives
> > related to the different signatures related to POP3 overflow
> > attempts. After looking through the signatures I could understand
> > why.
> >
> > For example:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow
> attempt"; flow:to_server,established; content:"TOP"; nocase;
> content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109; rev:1;)
> >
> > This signature will alert if for example a username includes the
> > top in the name. And without an termination within 10. This is
> > something that is not unlikely to happen. I've experienced several
> > false positives related to this. I've also experienced
> > similar problems with all of the POP3 signatures related to
> > POP3 commands and overflows.
> >
> > Since all of these signatures is related to POP3 commands. Would'nt it
> > be possible to add depth 4 and offset 0 after the command?
> >
> > For example:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow
> attempt"; flow:to_server,established; content:"TOP "; offset:0; depth:4;
> nocase; content:!"|0a|"; within:10; classtype:attempted-admin; sid:2109;
> rev:1;)
> >
> > /erik
> >
> >
> > -------------------------------------------------------
> > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> > The only event dedicated to issues related to Linux enterprise solutions
> > www.enterpriselinuxforum.com
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>



--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Vai su QXservice! Chiama l'artigiano che risolve i tuoi problemi e partecipa al concorso Vinci un Videotelefono UMTS e ricariche telefoniche! Clicca qui!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=1411&d=16-5




More information about the Snort-sigs mailing list