[Snort-users] pop3 PASs overflow rule

Shane Hickey shane at ...5522...
Tue Dec 3 09:34:05 EST 2002

Can someone help me make sense of this?  I tried checking the snort
website, but I can't resolve it right now (neither can ns.cw.net for
that matter).  Anyway, here's the rule I have questions about 

alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:60; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

It seems to me that it's saying that if something specific in the
content section isn't found within 60 (bits?) then this matches.  The
problem that I'm having is that I'm getting alerts for this rule on what
seems like normal POP3 traffic.  For example, this matched.  (IPs and
password strings changed, but I left the password string the same
length).  Is it the ".." after the password?  I wasn't sure if that was
part of the password string, but I suppose it could be.

#(1 - 143127) [2002-12-03 09:49:35] nessus[cve/CAN-1999-1511]
[icat/CAN-1999-1511] [snort/1634]  POP3 PASS overflow attempt
IPv4: ->
      hlen=5 TOS=0 dlen=54 ID=5260 flags=0 offset=0 TTL=114 chksum=41906
TCP:  port=1370 -> dport: 110  flags=***AP*** seq=4263001887
      ack=2494728179 off=5 res=0 win=9576 urp=0 chksum=53014
Payload:  length = 14

000 : 50 41 53 53 20 77 69 6C 64 61 6C 32 0D 0A         PASS passwo2..

Shane Hickey
Network/System Consultant

More information about the Snort-users mailing list