|
|
| <prev next> |
false positive report: SID 2517: msg#00206security.ids.snort.sigs
Hi - I'm seeing a lot of false positives for SID 2517 (IMAP PCT Client_Hello overflow attempt) They're triggered when I use Mozilla Thunderbird (Windows) to pick up mail from Courier-IMAP (Debian Sarge) via SSL. Snort Version 2.1.3 (Build 27) is sitting in between running on IPCop. Casual observations suggest it only triggers when the connections are opened and not every time I pick up mail. Sample logs are below, partial packet capture is attached. I can provide the whole capture if needed; I cropped it on the assumption that the later packets were just encrypted email data and not relevant. I'm new to Snort so let me know if I'm not reporting this right. Cheers- Lorrin root@potato:/var/log/snort/192.168.123.10 # cat TCP\:2602-993 [**] IMAP PCT Client_Hello overflow attempt [**] 10/15-15:02:30.521361 0:50:FC:76:A8:F8 -> 0:A0:24:24:53:BF type:0x800 len:0x6B 192.168.123.10:2602 -> 67.182.135.20:993 TCP TTL:128 TOS:0x0 ID:49854 IpLen:20 DgmLen:93 DF ***AP*** Seq: 0x34C0C018 Ack: 0x3F48955D Win: 0xF7AC TcpLen: 20 17 03 01 00 30 26 8B 26 28 8B 29 8F E0 57 B3 97 ....0&.&(.)..W.. 84 94 52 4E 42 48 E0 45 6B 1D C4 BC EF 89 1C DF ..RNBH.Ek....... 0B 86 F8 A6 EB 6A 28 40 D9 09 B9 AC 5A 5E DD 25 .....j(@....Z^.% B8 FE C6 0D 88 ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ root@potato:/var/log/snort/192.168.123.10 # cat TCP\:2605-993 [**] IMAP PCT Client_Hello overflow attempt [**] 10/15-15:02:30.403500 0:50:FC:76:A8:F8 -> 0:A0:24:24:53:BF type:0x800 len:0x6B 192.168.123.10:2605 -> 67.182.135.20:993 TCP TTL:128 TOS:0x0 ID:49750 IpLen:20 DgmLen:93 DF ***AP*** Seq: 0x34C2D324 Ack: 0x3FC4AA86 Win: 0xFA7A TcpLen: 20 17 03 01 00 30 D4 83 39 E0 96 92 8F 99 50 33 B7 ....0..9.....P3. 00 FB 62 D6 93 91 5D 1B AC F5 28 AD 75 2F 32 40 ..b...]...(.u/2@ 36 5E 16 B1 F9 15 58 BF 4B 87 E3 27 AB C1 40 4A 6^....X.K..'..@J 29 13 EB 09 67 )...g =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | suggested changes to rule 2229: 00206, Rainer |
|---|---|
| Next by Date: | Re: Possible False Positive: 00206, Nigel Houghton |
| Previous by Thread: | suggested changes to rule 2229i: 00206, Rainer |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |
