[Snort-sigs] NIDS Signature # 1930: False positive

Bob Van Cleef vancleef at ...2124...
Mon Aug 16 07:52:52 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143
(msg:"IMAP auth literal overflow attempt"; flow:established,
to_server; content:" AUTH"; nocase; content:"{";
byte_test:5,>,256,0,string,dec,relative; reference:cve,
CVE-1999-0005; classtype:misc-attack; sid:1930; rev:2;)

--
Sid: 1930

--
Summary:

Spotted three false positives.

--
Impact:

False positive

--
Detailed Information:

Spotted three log entries for this signature, reporting
a normal IMAP connection from a normal user.

--
Affected Systems:

Windows 2K Professional w/ Mozilla IMAP Client

CommunigatePro IMAP server

--
Attack Scenarios:

n/a

--
Ease of Attack:

n/a

--
False Positives: Here is one sample;

Personal information in the ASCII section converted to XXXXXX
Personal information in the HEX section converted to 00 00 00

[**] IMAP auth literal overflow attempt [**]
08/12-08:06:29.641540 10.25.59.47:1640 -> 10.25.58.7:143
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1643
***AP*** Seq: 0x6863BCAE  Ack: 0x61AAAE88  Win: 0xBC34  TcpLen: 20
31 20 61 75 74 68 65 6E 74 69 63 61 74 65 20 43  1 authenticate C
52 41 4D 2D 4D 44 35 0D 0A 59 6E 6C 71 4D 58 42  RAM-MD5..YnlqMXB
70 64 43 42 6C 4F 54 68 6D 4E 44 49 34 59 6A 55  pdCBlOThmNDI4YjU
30 59 6A 46 68 4D 6A 4D 32 59 6D 4A 6B 4F 54 4D  0YjFhMjM2YmJkOTM
35 59 7A 5A 6D 4F 44 45 34 5A 54 64 6A 4F 41 3D  5YzZmODE4ZTdjOA=
3D 0D 0A 32 20 6C 6F 67 69 6E 20 22 00 00 00 00  =..2 login "XXXX
00 00 00 22 20 22 00 00 00 00 00 22 0D 0A 33 20  XXX" "XXXXX"..3
61 70 70 65 6E 64 20 22 53 65 6E 74 22 20 28 5C  append "Sent" (\
53 65 65 6E 29 20 7B 31 35 34 30 2B 7D 0D 0A 4D  Seen) {1540+}..M
65 73 73 61 67 65 2D 49 44 3A 20 3C 34 31 31 42  essage-ID: <411B
38 37 39 41 2E 36 30 37 30 36 30 34 40 00 00 00  879A.6070604 at ...2732...
2E 00 00 00 00 00 2E 63 6F 6D 3E 0D 0A 44 61 74  .XXXXX.com>..Dat
65 3A 20 54 68 75 2C 20 31 32 20 41 75 67 20 32  e: Thu, 12 Aug 2
30 30 34 20 31 31 3A 30 37 3A 30 36 20 2D 30 34  004 11:07:06 -04
30 30 0D 0A 46 72 6F 6D 3A 20 4A 00 00 00 00 00  00..From: XXXXXX
00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00  XXXXXX <XXXXXXXX
00 00 00 00 40 00 00 00 00 00 00 00 00 00 2E 63  XXXX at ...2733...
6F 6D 3E 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  om>..User-Agent:
20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69   Mozilla/5.0 (Wi

--
False Negatives:

n/a

--
Corrective Action:

n/a

--
Contributors:

n/a

-- 
Additional References:

n/a







More information about the Snort-sigs mailing list