Snort mailing list archives

Previous By Date Next
Previous By Thread Next

pop3 PASs overflow rule

From: Shane Hickey <shane () howsyournetwork com>
Date: 03 Dec 2002 10:33:40 -0700
Can someone help me make sense of this?  I tried checking the snort
website, but I can't resolve it right now (neither can ns.cw.net for
that matter).  Anyway, here's the rule I have questions about 

alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:60; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)

It seems to me that it's saying that if something specific in the
content section isn't found within 60 (bits?) then this matches.  The
problem that I'm having is that I'm getting alerts for this rule on what
seems like normal POP3 traffic.  For example, this matched.  (IPs and
password strings changed, but I left the password string the same
length).  Is it the ".." after the password?  I wasn't sure if that was
part of the password string, but I suppose it could be.

#(1 - 143127) [2002-12-03 09:49:35] nessus[cve/CAN-1999-1511]
[icat/CAN-1999-1511] [snort/1634]  POP3 PASS overflow attempt
IPv4: 10.10.10.10 -> 192.168.1.1
      hlen=5 TOS=0 dlen=54 ID=5260 flags=0 offset=0 TTL=114 chksum=41906
TCP:  port=1370 -> dport: 110  flags=***AP*** seq=4263001887
      ack=2494728179 off=5 res=0 win=9576 urp=0 chksum=53014
Payload:  length = 14

000 : 50 41 53 53 20 77 69 6C 64 61 6C 32 0D 0A         PASS passwo2..




-- 
Shane Hickey
Network/System Consultant
Howsyournetwork.com
406.240.6675



-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: