Network Security: Detailed info on Re: [Snort-sigs] Possible improvements to pop3 rules.

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Snort-Signatures

[Top] [All Lists]

Re: [Snort-sigs] Possible improvements to pop3 rules.

from [Frank Knobbe] Network Security

[Permanent Link]

Subject:	Re: [Snort-sigs] Possible improvements to pop3 rules.
Date:	Wed, 04 May 2005 07:51:12 -0500

On Wed, 2005-05-04 at 08:04 -0400, Michael Stone wrote:

On Wed, May 04, 2005 at 02:56:59PM +1000, Erik de Castro Lopo wrote:

Here we have a search of the string "USER" followed by the given
PCRE search. However, the PCRE is anchored to the start of the
packet.


Hmm. That's bogus. There's no reason that the USER has to be at the
start of the packet.



Heh... actually, I think I have to agree. The USER has to be at the
beginning on the line, but that doesn't have to be the beginning of the
_stream_. By default, POP3 sessions are reassembled (and some people
probably reassemble all TCP streams). USER doesn't have to be at the
beginning of the stream. One can enter a bogus command, like HELP or
something, before issuing USER.

Perhaps the rule is better kept as it is.

Cheers,
Frank

signature.asc
Description: This is a digitally signed message part

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] Possible improvements to pop3 rules., Erik de Castro Lopo Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe Re: [Snort-sigs] Possible improvements to pop3 rules., Michael Stone Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe <= Re: [Snort-sigs] Possible improvements to pop3 rules., Jeff Kell Re: [Snort-sigs] Possible improvements to pop3 rules., Brian Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe Re: [Snort-sigs] Possible improvements to pop3 rules., pr00f Re: [Snort-sigs] Possible improvements to pop3 rules., Erik de Castro Lopo

Previous by Date:	Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe
Next by Date:	Re: [Snort-sigs] Possible improvements to pop3 rules., Jeff Kell
Previous by Thread:	Re: [Snort-sigs] Possible improvements to pop3 rules., Frank Knobbe
Next by Thread:	Re: [Snort-sigs] Possible improvements to pop3 rules., Jeff Kell
Indexes:	[Date] [Thread] [Top] [All Lists]