imap.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: imap.rules,v 1.48.6.11 2008/04/22 20:53:19 vrtbuild Exp $
#--------------
# IMAP RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; reference:bugtraq,21724; reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2006-6424; reference:nessus,12532; classtype:misc-attack; sid:1993; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-2795; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:20;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-026.mspx; classtype:attempted-admin; sid:2665; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; reference:bugtraq,21724; reference:cve,1999-0042; reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:15;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; metadata:service imap; reference:bugtraq,11675; reference:cve,2004-1520; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:service imap; reference:bugtraq,11675; reference:cve,2004-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058; rev:7;)

# auth is an imap2 function and only accepts literal usage
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:12;)

# FIND does not accept a literal command
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:1755; rev:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:9;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:service imap; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:service imap; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; metadata:service imap; classtype:suspicious-login; sid:2273; rev:4;)