On 0, Russell Fulton <r.fulton@auckland.ac.nz> allegedly wrote:
I am seeing many hits on this rule for what appear to be perfectly
normal IMAP requests.
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow
attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:
100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775;
classtype:misc-attack; sid:3070; rev:1;)
My understanding of this is that we are looking for a newline within 100
characters of 'FETCH' and alerting if we don't find it. Unfortunately
there are many legitimate FETCH requests that are longer than 100 chars.
There is no doc on the rule so I don't know what specific attack (if
any) this is trying to detect.
I will be disabling this rule.
Russell.
Looks like a number of docs are missing from snort.org at the moment.
Sorry about that, we'll get that fixed asap. The docs *do* exist, you
just can't see them right now :)
Here is the doc for 3070:
Sid:
3070
--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow associated with the several commands of the Mercury Mail IMAP
service.
--
Impact:
A successful attack may cause a denial of service or a buffer overflow
and the subsequent execution of arbitrary code on a vulnerable server.
--
Detailed Information:
A vulnerability exists in the way that the Mercury Mail IMAP service
handles several commands. An excessively long command argument can
trigger a denial of service or a buffer overflow and the subsequent
execution of arbitrary code on a vulnerable server.
--
Affected Systems:
Pegasus Mail Mercury Mail Transport System 3.32
Pegasus Mail Mercury Mail Transport System 4.01a
--
Attack Scenarios:
An attacker can supplied an overly long command, causing
denial of service or a buffer overflow.
--
Ease of Attack:
Simple.
--
False Positives:
None known.
--
False Negatives:
None known.
--
Corrective Action:
Upgrade to the latest non-affected version of the software.
--
Contributors:
Sourcefire Research Team
Brian Caswell
Judy Novak
+-----------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Stewie: You know, I rather like this God fellow. Very theatrical,
you know. Pestilence here, a plague there. Omnipotence
...gotta get me some of that.
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
