[Snort-sigs] IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow

rmkml rmkml at ...174...
Sun Mar 25 19:30:59 EDT 2012


Personnaly I have rewrited these two VRT rules to simply "}}}}}" (of course removed dsize/flowbits, my rule are possible FN/FP but I don't have FP on my network traffic)
  http://www.securityfocus.com/bid/15980/exploit
Regards
Rmkml


On Mon, 26 Mar 2012, Yew Chuan Ong wrote:

> Thanks.One question, it is normal to see packet with size greater than 668 bytes?
> Is it the only indicator?
> 
> On Mon, Mar 26, 2012 at 5:53 AM, rmkml <rmkml at ...174...> wrote:
>       Hi,
>       Your revision on this rule are correct, but you don't have flowbits on this rule: strange ?
>       Please add this flowbits:  flowbits:isset,qualcom.worldmail.ok;
>       Regards
>       Rmkml
> 
>
>       On Mon, 26 Mar 2012, Yew Chuan Ong wrote:
>
>             Hye guys,
>             I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow.
>             alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail IMAP
>             Literal Token Parsing Buffer Overflow"; flow:established,to_server; dsize:>668;
>             metadata:policy balanced-ips drop, policy security-ips drop, service imap; refer
>             ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:1732
>             8; rev:1;)
>             When I checked on the payloads, these are just normal email contents (not suspicious). I am wondering why the packet size is more than 668 bytes if it is not a real buffer
>             overflow attempt. Any ideas?
>             Thanks.
>             Regards
>             Yew Chuan
> 
> 
> 
>


More information about the Snort-sigs mailing list