[Snort-sigs] Possible error in 3066.2 (IMAP append overflow attempt)

nnposter at ...592... nnposter at ...592...
Fri Feb 11 13:27:08 EST 2005


There is probably an error in the recent update of 3066 to revision 2: 
The PCRE "spacer" got increased from 100 to 256 but the corresponding 
isdataat did not. (This does not have any effect on false positives or 
negatives.)

The corrected rule would then be:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
(msg:"IMAP append overflow attempt"; 
flow:established,to_server; content:"APPEND"; nocase; 
isdataat:256,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; 
reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:3;)

Cheers,
nnposter




More information about the Snort-sigs mailing list