Network Security: Detailed info on Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Snort-Signatures

[Top] [All Lists]

Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070

from [Frank Knobbe] Network Security

[Permanent Link]

Subject:	Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070
Date:	Mon, 24 Jan 2005 22:17:05 -0600

On Tue, 2005-01-25 at 15:05 +1300, Russell Fulton wrote:

I am seeing many hits on this rule for what appear to be perfectly
normal IMAP requests.

[...] My understanding of this is that we are looking for a newline within 100
characters of 'FETCH' and alerting if we don't find it.  Unfortunately
there are many legitimate FETCH requests that are longer than 100 chars.
[..] I will be disabling this rule.


Russell,

instead of disabling it, why not just increase the amount of characters?
Perhaps... say... 300? That should be less noisy but still catch
attempts of people trying to overflow the server with long packets.

Regards,
Frank

signature.asc
Description: This is a digitally signed message part

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Russell Fulton Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Nigel Houghton Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Paul Schmehl Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Frank Knobbe [Snort-sigs] Mistake in rule 2196, Ofer Shezaf Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Frank Knobbe <= Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Russell Fulton

Previous by Date:	Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Paul Schmehl
Next by Date:	[Snort-sigs] L3Retriever false positives, Javier Fernandez-Sanguino
Previous by Thread:	[Snort-sigs] Mistake in rule 2196, Ofer Shezaf
Next by Thread:	Re: [Snort-sigs] false +ves on IMAP fetch overflow attempt: sid 3070, Russell Fulton
Indexes:	[Date] [Thread] [Top] [All Lists]