[Snort-sigs] False positive found for rule side=1634

Bobby Kuzma bobby at ...2342...
Thu Mar 25 14:45:19 EST 2004


Rule:  alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS"; nocase;
isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi";
reference:cve,CAN-1999-1511; reference:nessus,10325;
classtype:attempted-admin; sid:1634; rev:8;)

--
Sid: 1634

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: This rule can generate a false positive when the AppleMail
client is used to retrieve mail via POP3

--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References:

Thanks,

Bobby Kuzma
USA Computer Technologies Inc





More information about the Snort-sigs mailing list