[Snort-sigs] probable false positive (NOT attack information; this is a "possible bug" report)
gmaybrun at ...2626...
Wed Jul 14 13:13:56 EDT 2004
PO3 PCT Client_Hello overflow attempt
Snort is reporting this overflow attempt, when no overflow attempt was made -- My only conclusion, of course, would be a false positive.
More information below...
Just annoying, no serious impact...
Box A: Snort 2.1.2, Postfix 2.0.19, Courier-Imap 3.0.2 (using courier-imapd-ssl and courier-pop3d-ssl; non-ssl pop3 and imap have been disabled),
on a Gentoo Linux system running kernel 2.6.7 with grsecurity/PaX patches.
Thunderbird 0.6 is set up on Boxes B (Linux) and C (Windows). I have 4 email accounts which all connect to Box A via pop3-ssl when I start Thunderbird, and check for new emails.
I have Thunderbird checking again every minute or two. The false "PO3 PCT overflow attempt" doesn't come up every time I check my email, but about 1 in 30 times.
I know this isn't an attack because they always coincide with when i check mail (coincide as in, to the second, according to postfix's reports to syslog-ng).
And the source IP is always from my own computer.
I'm sorry if this isn't enough detail... If you contact me I'll gladly give you all the information you want.
Gentoo Linux, kernel 2.6.7 with grsecurity/PaX patches, running Snort 2.1.2, Postfix 2.0.19, Courier-Imap 3.0.2
(using courier-imapd-ssl and courier-pop3d-ssl; non-ssl pop3 and imap have been disabled),
Fire up Thunderbird (on either my Windows XP or Linux box), and wait, checking Snort logs. Eventually, this attempt is reported.
Shut down Thunderbird, and wait several days. Nothing happens.
Ease of Attack:
More information about the Snort-sigs