[Snort-sigs] Bug in 1934.6? (POP2 FOLD overflow attempt)

nnposter at ...592... nnposter at ...592...
Tue Jul 6 15:05:06 EDT 2004


In a recent update of 1934 to revision 6 relative clause isdataat
has been moved in front of the content clause. The net effect is
that isdataat no longer tests the length of the payload after
the content clause (FOLD command) but simply acts as a dsize clause.

Is this a bug or am I missing something?

alert tcp $EXTERNAL_NET any -> $HOME_NET 109 
(msg:"POP2 FOLD overflow attempt"; flow:established,to_server; 
isdataat:256,relative; content:"FOLD"; 
pcre:"/^FOLD\s[^\n]{256}/smi"; 
reference:bugtraq,283; reference:cve,1999-0920; 
classtype:attempted-admin; sid:1934; rev:6;) 

P.S. Unrelated, missing nocase after content has been already reported.




More information about the Snort-sigs mailing list