[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

Frank Knobbe frank at ...1978...
Mon Jan 24 20:18:03 EST 2005


On Tue, 2005-01-25 at 15:05 +1300, Russell Fulton wrote:
> I am seeing many hits on this rule for what appear to be perfectly
> normal IMAP requests.
> 
> [...] My understanding of this is that we are looking for a newline within 100
> characters of 'FETCH' and alerting if we don't find it.  Unfortunately
> there are many legitimate FETCH requests that are longer than 100 chars.
> [..] I will be disabling this rule.

Russell,

instead of disabling it, why not just increase the amount of characters?
Perhaps... say... 300? That should be less noisy but still catch
attempts of people trying to overflow the server with long packets.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050124/fff8a119/attachment.sig>


More information about the Snort-sigs mailing list