[Snort-sigs] Snort details for SID 1937

Brian bmc at ...95...
Mon Nov 24 08:15:10 EST 2003


On Sun, Nov 23, 2003 at 11:45:48PM -0500, Christopher Davis wrote:
> False Positives:  None known.

Uh...

> 21:52:34.326692 0:a:f3:bd:1c:70 0:0:5e:0:1:2c ip 72: xxx.xxx.xxx.xxx.1980 > xxx.xxx.xxx.xxx.pop3: R [tcp sum ok] 1139222935:1139222953(18) win 0 [RST No TCP/No listener] (DF) (ttl 237, id 37441, len 58)
> 0x0000   4500 003a 9241 4000 ed06 6d61 18ee aabc        E..:.A at ...2035...
> 0x0010   816d 4903 07bc 006e 43e7 2997 0000 0000        .mI....nC.).....
> 0x0020   5004 0000 b0ca 0000 4e6f 2054 4350 2f4e        P.......No.TCP/N
> 0x0030   6f20 6c69 7374 656e 6572                       o.listener
> 
> This is not a vulnerable host, however, so this might not be useful.
> This is for version 3.0.2.

This request is a false positive.  There is no LIST overflow attempt
here.  The latest revision of the rule is much cleaner and should not
false positive.

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:4;)

-brian




More information about the Snort-sigs mailing list