[Snort-sigs] False +ve for IMAP PCT Client_Hello overflow attempt: Sig ID 2517

Russell Fulton r.fulton at ...575...
Tue Dec 21 18:46:01 EST 2004


I am seeing quite a few of these between systems on the local net:

META
--------
SID     CID     TimeStamp               Signature
7       289075  2004-12-22 15:32:32     IMAP PCT Client_Hello overflow attempt
Sig ID
2517

Sensor Hostname                         Sensor Interface
monitor-tmk.itss        bge0

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.120.183 130.216.128.4   4       5
TOS     length  ID      flags   offset  TTL     chksum
0       67      59085   2       0       128     5499

Resolved Source
j.shadbolt.aud.auckland.ac.nz

Resolved Dest
medmail.auckland.ac.nz 

TCP
--------
Source Port     Dest Port       Seq             Ack             
1830            993             3510164160      2959641402
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      64481   6015            0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
17030100168F48B9C1DC    ......H...
C38FF01A854F27513C07    .....O'Q<.
A9A36312500F79  ..c.P.y






More information about the Snort-sigs mailing list