[Snort-sigs] SID 8440: IMAP SSLv2 openssl get shared ciphers overflow attempt
pauls at ...1311...
Tue Nov 7 15:22:14 EST 2006
I'm getting a boatload of alerts from one host for this SID. The rule
looks for [01 03] (SOH followed by ETX) at a depth of 2 bytes. Every
single packet that triggers this alert begins with this sequence: 17 03 01
ETB ETX SOH ETX followed by a high ascii character. So, End of
Transmission Block, End of Text, Start of Heading, End of Text, high ascii.
Any of you uber-geeks want to translate what this host is doing? Or
attempting to do? (BTW, I suspect this is "benign" activity. The source
host is on a local ISP's network, and the dest host is our imap server.
The alerts are triggered every two minutes, give or take a hundredth of a
second, so it looks like aggressive mail checking.)
Is this a broken client? Eeeevvviiilll?
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 4085 bytes
Desc: not available
More information about the Snort-sigs