2409.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:  

--
Sid:
2409

--
Summary:
This event is generated when an attempt is made to overflow a buffer by
supplying a very long username to an APOP POP3 service.

--
Impact:
Serious. Several POP3 servers are vulnerable to USER buffer overflows.

--
Detailed Information:
By supplying more than 626 bytes of data to the APOP USER command on 1st
Class Internet Solutions' 1st Class Mail Server, an attacker may
overflow a buffer resulting in the opportunity to execute code of their
choosing on the targeted machine with the privileges of the user running
the service.

Other Mail software may be prone to this attack.

--
Affected Systems:
	1st Class Mail Server

--
Attack Scenarios:
An attacker may connect to the service and supply an over-long username
to overflow the buffer.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known

--
Corrective Action:
Apply the appropriate vendor supplied patches.

Upgrade to the latest non-affected version of the software.

Check for other events generated by the source IP address.

--
Contributors:
Sourcefire Research Team
Matt Watchinski <mwatchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

-- 
Additional References:


--