[Snort-sigs] False positive in 3065.1 (IMAP append literal overflow attempt)

nnposter at ...592... nnposter at ...592...
Tue Jan 18 14:51:36 EST 2005


The current version:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
(msg:"IMAP append literal overflow attempt"; flow:established,to_server; 
content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; 
byte_test:5,>,256,0,string,dec,relative; 
reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:1;)


I am getting false positives on completely benign commands, such as

    APPEND "Sent Items" (\Seen) {2345}

My interpretation of the rule is that it fires whenever a message literal 
size prefix specifies more than 256 bytes, which seems wrong. Could 
somebody either confirm my interpretation or point out where I am making 
a mistake?

Cheers,
nnposter




More information about the Snort-sigs mailing list