[Snort-users] FP's with sid:17239 - IMAP Alt-N MDaemon IMAP server CREATE command buffer overflow attempt

Eoin Miller eoin.miller at ...14586...
Tue Oct 12 13:20:35 EDT 2010


  alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMAP Alt-N MDaemon 
IMAP server CREATE command buffer overflow attempt"; 
flow:to_server,established; content:" CREATE "; nocase; 
isdataat:180,relative; pcre:"/^[^\r\n]{180}/R"; metadata:policy 
balanced-ips drop, policy security-ips drop, service imap; 
reference:bugtraq,14315; classtype:attempted-dos; sid:17239; rev:1;)

I really can't believe this signature, it seems like it would trigger 
WAY to often. Anyone else getting a lot of hits with this?

-- Eoin




More information about the Snort-users mailing list