[Snort-sigs] False +ves for IMAP list overflow attempt

Russell Fulton r.fulton at ...575...
Mon May 3 14:09:03 EDT 2004


We see hundreds of these a day from some servers that are using deeply
nested folder hierarchies.

Russell

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  IMAP list overflow attempt

--
Sid: 2118 

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: This rule will trigger on any list of a sufficiently long IMAP
		 folder path.  I.e. if you have deeply nested folders.
--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:
-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!






More information about the Snort-sigs mailing list