[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

Russell Fulton r.fulton at ...575...
Mon Jan 24 18:06:03 EST 2005


I am seeing many hits on this rule for what appear to be perfectly
normal IMAP requests.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow
attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:
100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775;
classtype:misc-attack; sid:3070; rev:1;)

My understanding of this is that we are looking for a newline within 100
characters of 'FETCH' and alerting if we don't find it.  Unfortunately
there are many legitimate FETCH requests that are longer than 100 chars.

There is no doc on the rule so I don't know what specific attack (if
any) this is trying to detect.

I will be disabling this rule.

Russell.










More information about the Snort-sigs mailing list