[Snort-sigs] Re: Signatures related to POP3 overflow attempt

Nate Haggard nate at ...1546...
Thu May 29 05:32:13 EDT 2003

I have also had false positives with POP3.  The packets that trigger 
alerts all have |0a| in them so the rules should not be triggered, right?

05/05-18:05:21.126383 < l/l len: 6 l/l type: 0x1 0:40:96:41:E4:55
pkt type:0x0 proto: 0x800 len:0x52
xxx.xxx.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:110 TCP TTL:128 TOS:0x0 ID:3055
8 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0xCD6230C3  Ack: 0xA682401F  Win: 0xFAA9  TcpLen: 20
55 53 45 52 20 62 63 37 37 37 40 65 61 72 74 68  USER bc777 at ...1547...
6C 69 6E 6B 2E 6E 65 74 0D 0A                    link.net..

The packet ends with |0d 0a| (CRLF) and that should not match the rule 
with "content:"USER"; nocase; content:!"|0a|"; within:50;"

To fix this false positive add content:!"|0d|"; to the rule.  The rule 
modifictaions I have made are the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow 
attempt"; flow:to_server,established; content:"USER "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:50; reference:bugtraq,789; 
reference:cve,CVE-1999-0494; reference:nessus,10311; 
classtype:attempted-admin; sid:1866; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow 
attempt"; flow:to_server,established; content:"AUTH "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:50; classtype:attempted-admin; 
sid:1936; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow 
attempt"; flow:to_server,established; content:"LIST "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:50; reference:bugtraq,948; 
reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow 
attempt"; flow:to_server,established; content:"XTND "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:50; classtype:attempted-admin; 
sid:1938; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow 
attempt"; flow:to_server,established; content:"PASS "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:50; 
reference:cve,CAN-1999-1511; reference:nessus,10325; 
classtype:attempted-admin; sid:1634; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow 
attempt"; flow:to_server,established; content:"APOP "; nocase; 
content:!"|0a|"; content:!"|0d|"; within:256; 
reference:cve,CAN-2000-0841; reference:bugtraq,1652; 
reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:5;)

Nate Haggard

More information about the Snort-sigs mailing list