|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Shane Hickey (shane_at_howsyournetwork.com)
Date: Tue Dec 03 2002 - 11:33:40 CST
Can someone help me make sense of this? I tried checking the snort
website, but I can't resolve it right now (neither can ns.cw.net for
that matter). Anyway, here's the rule I have questions about
alert tcp !$HOME_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow
attempt"; flow:to_server,established; content:"PASS "; nocase;
content:!"|0a|"; within:60; reference:cve,CAN-1999-1511;
reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:5;)
It seems to me that it's saying that if something specific in the
content section isn't found within 60 (bits?) then this matches. The
problem that I'm having is that I'm getting alerts for this rule on what
seems like normal POP3 traffic. For example, this matched. (IPs and
password strings changed, but I left the password string the same
length). Is it the ".." after the password? I wasn't sure if that was
part of the password string, but I suppose it could be.
#(1 - 143127) [2002-12-03 09:49:35] nessus[cve/CAN-1999-1511]
[icat/CAN-1999-1511] [snort/1634] POP3 PASS overflow attempt
IPv4: 10.10.10.10 -> 192.168.1.1
hlen=5 TOS=0 dlen=54 ID=5260 flags=0 offset=0 TTL=114 chksum=41906
TCP: port=1370 -> dport: 110 flags=***AP*** seq=4263001887
ack=2494728179 off=5 res=0 win=9576 urp=0 chksum=53014
Payload: length = 14
000 : 50 41 53 53 20 77 69 6C 64 61 6C 32 0D 0A PASS passwo2..
-- Shane Hickey Network/System Consultant Howsyournetwork.com 406.240.6675------------------------------------------------------- This SF.net email is sponsored by: Microsoft Visual Studio.NET comprehensive development tool, built to increase your productivity. Try a free online hosted session at: http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en _______________________________________________ Snort-users mailing list Snort-users
lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]