Re: IMAP Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow

[Yew Chuan Ong <yewchuan88 () gmail com>]

Thanks.
One question, it is normal to see packet with size greater than 668 bytes?
Is it the only indicator?

On Mon, Mar 26, 2012 at 5:53 AM, rmkml <rmkml () yahoo fr> wrote:

> Hi,
> Your revision on this rule are correct, but you don't have flowbits on
> this rule: strange ?
> Please add this flowbits:  flowbits:isset,qualcom.**worldmail.ok;
> Regards
> Rmkml
>
>
>
> On Mon, 26 Mar 2012, Yew Chuan Ong wrote:
>
>  Hye guys,
> > I experienced lots of FPs with this sig - IMAP Qualcomm WorldMail IMAP
> > Literal Token Parsing Buffer Overflow.
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm
> > WorldMail IMAP
> > Literal Token Parsing Buffer Overflow"; flow:established,to_server;
> > dsize:>668;
> > metadata:policy balanced-ips drop, policy security-ips drop, service
> > imap; refer
> > ence:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin;
> > sid:1732
> > 8; rev:1;)
> > When I checked on the payloads, these are just normal email contents (not
> > suspicious). I am wondering why the packet size is more than 668 bytes if
> > it is not a real buffer overflow attempt. Any ideas?
> > Thanks.
> > Regards
> > Yew Chuan
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!