[Snort-sigs] False positive in 3070.1 (IMAP fetch overflow attempt)

Matthew Watchinski mwatchinski at ...435...
Wed Jan 19 15:49:09 EST 2005

Hum....  0x100 != 100 decimal

asm for buffer creation.

It should be 256 we'll get this updated.


nnposter at ...592... wrote:

>The current version:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 143 
>(msg:"IMAP fetch overflow attempt"; flow:established,to_server; 
>content:"FETCH"; nocase; isdataat: 100,relative; 
>reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:1;)
>Could somebody at Sourcefire confirm that the buffer overflow happens as 
>early as 100 bytes? All published PoC for BID 11775 have the NOP sled 
>260 bytes long. Having legitimate FETCH with message specifiers over 100 
>bytes is quite common. 
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list