[Snort-sigs] POP2 commands case-sensitive?

nnposter at ...592... nnposter at ...592...
Tue Jun 8 10:03:25 EDT 2004


The latest release of ruleset for 2.1 turned on case sensitivity for POP2
commands in SIDs 1934 and 1935. The April release assumed
case-insensitivity, which seems to be more in line with RFC 1939, section
3 (http://www.faqs.org/rfcs/rfc1939.html). This is an RFC for POP3 but it
was built on top of POP2. RFC for POP2 does not prescribe case-sensitivity
(or lack of). Hence it seems prudent to assume that POP2 commands are case
insensitive as well. OTOH, I can be completely wrong.

Cheers,
nnposter



P.S. As a side note, it seems that rule definition for 1935 has been
changed sometimes in May but the revision number has NOT been incremented.

April version of 1935.4:

alert tcp $EXTERNAL_NET any -> $HOME_NET 109 
(msg:"POP2 FOLD arbitrary file attempt"; flow:to_server,established; 
content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; 
sid:1935; rev:4;)

Current version of 1935.4:

alert tcp $EXTERNAL_NET any -> $HOME_NET 109 
(msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; 
pcre:"/^FOLD\s+\//smi"; content:"FOLD"; classtype:misc-attack; 
sid:1935; rev:4;)




More information about the Snort-sigs mailing list