[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

Paul Schmehl pauls at ...1311...
Mon Jan 24 22:20:05 EST 2005


--On Tuesday, January 25, 2005 3:05 PM +1300 Russell Fulton 
<r.fulton at ...575...> wrote:

> I am seeing many hits on this rule for what appear to be perfectly
> normal IMAP requests.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow
> attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:
> 100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775;
> classtype:misc-attack; sid:3070; rev:1;)
>
> My understanding of this is that we are looking for a newline within 100
> characters of 'FETCH' and alerting if we don't find it.  Unfortunately
> there are many legitimate FETCH requests that are longer than 100 chars.
>
> There is no doc on the rule so I don't know what specific attack (if
> any) this is trying to detect.
>
> I will be disabling this rule.
>
Russell, check the bugtraq page for that.  (I just disabled both of those 
rules today.)  They only apply to the Mercury mail server on Windows.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list