[Snort-sigs] SID: 8440

Patrik Israelsson patrik.israelsson at ...1288...
Tue Apr 24 12:30:48 EDT 2007

On Tuesday 24 April 2007 17.24, Paul Schmehl wrote:
> I'm trying to understand *why* what appear to be legitimate users checking
> email is tripping this alert.  Is it badly configured clients?  Unpatched
> clients?  Badly designed clients that ignore the protocol?
> The bottom line is, why are our users' email clients routinely trying to
> overflow a buffer?

For what it's worth, I've deactivated this sig since long since it was giving 
way too many false positives. We run NIDS services for a whole bunch of 
companies and this sig has triggered massively on our sensors in pretty much 
every network we've connected them to. So I'm fairly confident that what 
you're seeing is not clients trying to exploit a vulnerability, rather they 
are just going about their usual business and this Snort sig is interpreting 
it incorrectly.


More information about the Snort-sigs mailing list