[Snort-sigs] SID 8440: IMAP SSLv2 openssl get shared ciphers overflow attempt

Paul Schmehl pauls at ...1311...
Thu Nov 9 18:21:01 EST 2006


I already sent a pcap to development.  Do you need another one?

--On Thursday, November 09, 2006 12:49:56 -0500 Brian <bmc at ...95...> wrote:

> On Tue, Nov 07, 2006 at 02:22:14PM -0600, Paul Schmehl wrote:
>> I'm getting a boatload of alerts from one host for this SID.  The rule
>> looks for [01 03] (SOH followed by ETX) at a depth of 2 bytes.  Every
>> single packet that triggers this alert begins with this sequence: 17 03
>> 01  03 80
>>
>> ETB ETX SOH ETX followed by a high ascii character.  So, End of
>> Transmission Block, End of Text, Start of Heading, End of Text, high
>> ascii.
>>
>> Any of you uber-geeks want to translate what this host is doing?  Or
>> attempting to do?  (BTW, I suspect this is "benign" activity.  The
>> source  host is on a local ISP's network, and the dest host is our imap
>> server.  The alerts are triggered every two minutes, give or take a
>> hundredth of a  second, so it looks like aggressive mail checking.)
>>
>> Is this a broken client?  Eeeevvviiilll?
>
> IIRC, I wrote those rules.  Send me pcap.  I'll take a look.
>
> Brian



Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20061109/bce6c6e3/attachment.bin>


More information about the Snort-sigs mailing list