Snort mailing list archives
pop3 PASs overflow rule
From: Shane Hickey <shane () howsyournetwork com>
Date: 03 Dec 2002 10:33:40 -0700
Can someone help me make sense of this? I tried checking the snort website, but I can't resolve it right now (neither can ns.cw.net for that matter). Anyway, here's the rule I have questions about alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS "; nocase; content:!"|0a|"; within:60; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;) It seems to me that it's saying that if something specific in the content section isn't found within 60 (bits?) then this matches. The problem that I'm having is that I'm getting alerts for this rule on what seems like normal POP3 traffic. For example, this matched. (IPs and password strings changed, but I left the password string the same length). Is it the ".." after the password? I wasn't sure if that was part of the password string, but I suppose it could be. #(1 - 143127) [2002-12-03 09:49:35] nessus[cve/CAN-1999-1511] [icat/CAN-1999-1511] [snort/1634] POP3 PASS overflow attempt IPv4: 10.10.10.10 -> 192.168.1.1 hlen=5 TOS=0 dlen=54 ID=5260 flags=0 offset=0 TTL=114 chksum=41906 TCP: port=1370 -> dport: 110 flags=***AP*** seq=4263001887 ack=2494728179 off=5 res=0 win=9576 urp=0 chksum=53014 Payload: length = 14 000 : 50 41 53 53 20 77 69 6C 64 61 6C 32 0D 0A PASS passwo2.. -- Shane Hickey Network/System Consultant Howsyournetwork.com 406.240.6675 ------------------------------------------------------- This SF.net email is sponsored by: Microsoft Visual Studio.NET comprehensive development tool, built to increase your productivity. Try a free online hosted session at: http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pop3 PASs overflow rule Shane Hickey (Dec 03)