[Snort-sigs] SID 8440: IMAP SSLv2 openssl get shared ciphers overflow attempt

Brian bmc at ...95...
Thu Nov 9 12:49:56 EST 2006


On Tue, Nov 07, 2006 at 02:22:14PM -0600, Paul Schmehl wrote:
> I'm getting a boatload of alerts from one host for this SID.  The rule 
> looks for [01 03] (SOH followed by ETX) at a depth of 2 bytes.  Every 
> single packet that triggers this alert begins with this sequence: 17 03 01 
> 03 80
> 
> ETB ETX SOH ETX followed by a high ascii character.  So, End of 
> Transmission Block, End of Text, Start of Heading, End of Text, high ascii.
> 
> Any of you uber-geeks want to translate what this host is doing?  Or 
> attempting to do?  (BTW, I suspect this is "benign" activity.  The source 
> host is on a local ISP's network, and the dest host is our imap server. 
> The alerts are triggered every two minutes, give or take a hundredth of a 
> second, so it looks like aggressive mail checking.)
> 
> Is this a broken client?  Eeeevvviiilll?

IIRC, I wrote those rules.  Send me pcap.  I'll take a look.

Brian




More information about the Snort-sigs mailing list