Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow

From: Yew Chuan Ong <yewchuan88 () gmail com>
Date: Mon, 26 Mar 2012 03:35:03 +0800
Hye guys,

I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP
Literal Token Parsing Buffer Overflow.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail
IMAP
Literal Token Parsing Buffer Overflow"; flow:established,to_server;
dsize:>668;
metadata:policy balanced-ips drop, policy security-ips drop, service imap;
refer
ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin;
sid:1732
8; rev:1;)

When I checked on the payloads, these are just normal email contents (not
suspicious). I am wondering why the packet size is more than 668 bytes if
it is not a real buffer overflow attempt. Any ideas? Thanks.


Regards
Yew Chuan

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: