Hosting Provided By

[Snort-sigs] Re: Signatures related to POP3 overflow attempt

From: Nate Haggard <nate(at)securitymetrics.com>
Date: Wed May 28 2003 - 12:33:30 EDT

I have also had false positives with POP3. The packets that trigger alerts all have |0a| in them so the rules should not be triggered, right?

05/05-18:05:21.126383 < l/l len: 6 l/l type: 0x1 0:40:96:41:E4:55 pkt type:0x0 proto: 0x800 len:0x52
xxx.xxx.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:110 TCP TTL:128 TOS:0x0 ID:3055 8 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0xCD6230C3 Ack: 0xA682401F Win: 0xFAA9 TcpLen: 20 55 53 45 52 20 62 63 37 37 37 40 65 61 72 74 68 USER bc777@defrd

6C 69 6E 6B 2E 6E 65 74 0D 0A                    link.net..

The packet ends with |0d 0a| (CRLF) and that should not match the rule with "content:"USER"; nocase; content:!"|0a|"; within:50;"

To fix this false positive add content:!"|0d|"; to the rule. The rule modifictaions I have made are the following:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER "; nocase; content:!"|0a|"; content:!"|0d|"; within:50; reference:bugtraq,789; reference:cve,CVE-1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH "; nocase; content:!"|0a|"; content:!"|0d|"; within:50; classtype:attempted-admin; sid:1936; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST "; nocase; content:!"|0a|"; content:!"|0d|"; within:50; reference:bugtraq,948; reference:cve,CAN-2000-0096; classtype:attempted-admin; sid:1937; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND "; nocase; content:!"|0a|"; content:!"|0d|"; within:50; classtype:attempted-admin; sid:1938; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS "; nocase; content:!"|0a|"; content:!"|0d|"; within:50; reference:cve,CAN-1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP "; nocase; content:!"|0a|"; content:!"|0d|"; within:256; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:5;)

Nate Haggard

This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu May 29 09:03:46 2003

This message: [ Message body ]
Next message: r2d2r4(at)crusoecids.dyndns.org: "[Snort-sigs] How detect relaying with qmail and snort ?"
Previous message: Jim Breton: "[Snort-sigs] Proposed change to icmp-info.rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT