[Snort-sigs] probable false positive (NOT attack information; this is a "possible bug" report)

Gabriel Maybrun gmaybrun at ...2626...
Wed Jul 14 13:13:56 EDT 2004


Rule:  
PO3 PCT Client_Hello overflow attempt
          
--
Sid:
2518

--
Summary:
Snort is reporting this overflow attempt, when no overflow attempt was made -- My only conclusion, of course, would be a false positive.
More information below...

--
Impact:
Just annoying, no serious impact...

--
Detailed Information:
Box A: Snort 2.1.2, Postfix 2.0.19, Courier-Imap 3.0.2 (using courier-imapd-ssl and courier-pop3d-ssl; non-ssl pop3 and imap have been disabled),
on a Gentoo Linux system running kernel 2.6.7 with grsecurity/PaX patches.

Thunderbird 0.6 is set up on Boxes B (Linux) and C (Windows).  I have 4 email accounts which all connect to Box A via pop3-ssl when I start Thunderbird, and check for new emails.
I have Thunderbird checking again every minute or two.  The false "PO3 PCT overflow attempt" doesn't come up every time I check my email, but about 1 in 30 times.
I know this isn't an attack because they always coincide with when i check mail (coincide as in, to the second, according to postfix's reports to syslog-ng).
And the source IP is always from my own computer.

I'm sorry if this isn't enough detail... If you contact me I'll gladly give you all the information you want.
"
 --
Affected Systems:
Gentoo Linux, kernel 2.6.7 with grsecurity/PaX patches, running Snort 2.1.2, Postfix 2.0.19, Courier-Imap 3.0.2
(using courier-imapd-ssl and courier-pop3d-ssl; non-ssl pop3 and imap have been disabled),


--
Attack Scenarios:
Fire up Thunderbird (on either my Windows XP or Linux box), and wait, checking Snort logs.  Eventually, this attempt is reported.
Shut down Thunderbird, and wait several days.  Nothing happens.


--
Ease of Attack:
Bug.  N/A


--
False Positives:
See above.


--
False Negatives:
N/A

--
Corrective Action:
N/A


--
Contributors:
N/A


-- 
Additional References:
N/A





More information about the Snort-sigs mailing list