Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[Snort-Sigs] 19213 thousands of FP

From: matan monitz <mmonitz () gmail com>
Date: Tue, 27 Sep 2011 18:18:59 +0300
hello
can someone please explain the logic behind the sig?
the ?Q? is very very common and there is no minimal length on the sig
quoting from secunia:

* 2) A boundary error in the List Mailer (imailsrv.exe) can be exploited to
cause a stack-based buffer overflow via an overly-long string in the Subject
field following the "?Q?" operator.*

you can't just alert on this operator appearing in the subject! (btw, ill be
happy if someone can tell me what ?Q? means)

p.s. the pcre should also be removed from the sig

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: