[Snort-sigs] IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow
rmkml at ...174...
Sun Mar 25 17:53:05 EDT 2012
Your revision on this rule are correct, but you don't have flowbits on
this rule: strange ?
Please add this flowbits: flowbits:isset,qualcom.worldmail.ok;
On Mon, 26 Mar 2012, Yew Chuan Ong wrote:
> Hye guys,
> I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail IMAP
> Literal Token Parsing Buffer Overflow"; flow:established,to_server; dsize:>668;
> metadata:policy balanced-ips drop, policy security-ips drop, service imap; refer
> ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:1732
> 8; rev:1;)
> When I checked on the payloads, these are just normal email contents (not suspicious). I am wondering why the packet size is more than 668 bytes if it is not a real buffer overflow attempt. Any ideas?
> Yew Chuan
More information about the Snort-sigs