[Snort-sigs] False positive in 3070.1 (IMAP fetch overflow attempt)

nnposter at ...592... nnposter at ...592...
Tue Jan 18 15:17:35 EST 2005


The current version:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
(msg:"IMAP fetch overflow attempt"; flow:established,to_server; 
content:"FETCH"; nocase; isdataat: 100,relative; 
pcre:"/\sFETCH\s[^\n]{100}/smi"; 
reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:1;)


Could somebody at Sourcefire confirm that the buffer overflow happens as 
early as 100 bytes? All published PoC for BID 11775 have the NOP sled 
260 bytes long. Having legitimate FETCH with message specifiers over 100 
bytes is quite common. 

Cheers,
nnposter




More information about the Snort-sigs mailing list