[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

I am seeing many hits on this rule for what appear to be perfectly
normal IMAP requests.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow
attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:
100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775;
classtype:misc-attack; sid:3070; rev:1;)

My understanding of this is that we are looking for a newline within 100
characters of 'FETCH' and alerting if we don't find it.  Unfortunately
there are many legitimate FETCH requests that are longer than 100 chars.

There is no doc on the rule so I don't know what specific attack (if
any) this is trying to detect.

I will be disabling this rule.

Russell.








-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs