[Snort-sigs] Few posistives on several rules on POP3

Cedric Foll cedric.foll at ...1947...
Wed Oct 22 13:48:12 EDT 2003


Hi,

I've get a lot of few positives on several rules related to pop3

1)  The rule 2109 POP3 TOP overflow attempt

This kind of paquet match the rule.
***AP*** Seq: 0x2E7D045E  Ack: 0x7C02CC6E  Win: 0xF86E  TcpLen: 20
54 4F 50 20 38 20 39 39 39 39 39 39 39 39 0D 0A  TOP 8 99999999..

I think that this kind of paquet is normal, right ?
The "within" option should be greater than 10. This kind of paquet if 
very frequent in my paquet.


2) Rules POP3 (AUTH|USER) overflow attempt

TCP TTL:119 TOS:0x0 ID:1280 IpLen:20 DgmLen:57
***AP*** Seq: 0xF0F0DFA7  Ack: 0xFB8945D3  Win: 0x7F1E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 866 166313267
41 55 54 48 20                                   AUTH

TCP TTL:119 TOS:0x0 ID:1286 IpLen:20 DgmLen:56
***AP*** Seq: 0xF0F0DFD7  Ack: 0xFB894607  Win: 0x7EEA  TcpLen: 32
TCP Options (3) => NOP NOP TS: 874 166313345
53 54 41 54                                      STAT


I don't know what think about these kind of paquets ...
I get a lot of these one from a lot of différents IP adresses.

The problem if that the client doesn't send any |0a| byte.

We should add, at least a "dsize: >15", right ?


Regards






More information about the Snort-sigs mailing list