snort2-docker/docker/etc/rules/protocol-imap.rules
2020-02-24 08:56:30 -05:00

71 lines
21 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# PROTOCOL-IMAP RULES
#---------------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CAPABILITY overflow attempt"; flow:established,to_server; content:"CAPABILITY"; nocase; isdataat:100,relative; pcre:"/\sCAPABILITY\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15006; reference:cve,2005-3155; classtype:misc-attack; sid:5705; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe directory traversal attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5703; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP subscribe directory traversal attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/\sSUBSCRIBE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:5702; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status directory traversal attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5701; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename directory traversal attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5700; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub directory traversal attempt"; flow:established,to_server; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5699; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list directory traversal attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s*\S*\x2e\x2e\x2f/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5698; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine directory traversal attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5697; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete directory traversal attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/smi"; metadata:service imap; reference:bugtraq,15488; reference:cve,2005-3189; classtype:misc-attack; sid:5696; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP search literal format string attempt"; flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:4646; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP search format string attempt"; flow:established,to_server; content:"SEARCH"; fast_pattern:only; pcre:"/\sSEARCH\s[^\n]*?%/smi"; metadata:service imap; reference:bugtraq,10976; reference:cve,2005-2878; classtype:attempted-admin; sid:4645; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP UNSUBSCRIBE overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867; classtype:attempted-admin; sid:3076; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3075; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP APPEND overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; fast_pattern:only; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3065; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11675; reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset community, service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2664; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative; content:!"|0A|"; within:368; metadata:ruleset community, service imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2273; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; fast_pattern:only; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2120; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2107; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; fast_pattern:only; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0042; reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; fast_pattern:only; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:1755; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CRAM-MD5 authentication method buffer overflow attempt"; flow:to_server,established; flowbits:isset,imap.cram_md5; flowbits:unset,imap.cram_md5; content:"|0D 0A|"; fast_pattern:only; isdataat:300; content:!"|0D 0A|"; depth:300; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,11675; reference:bugtraq,14317; reference:bugtraq,23172; reference:cve,2005-1520; reference:cve,2007-1675; classtype:attempted-admin; sid:15484; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP CRAM-MD5 authentication request detected"; flow:to_server,established; content:"AUTHENTICATE CRAM-MD5"; fast_pattern:only; flowbits:set,imap.cram_md5; flowbits:noalert; metadata:service imap; reference:url,en.wikipedia.org/wiki/CRAM-MD5; classtype:protocol-command-decode; sid:11004; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SELECT overflow attempt"; flow:established,to_server; content:"SELECT"; nocase; isdataat:100,relative; pcre:"/\sSELECT\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15006; reference:cve,2005-3155; reference:cve,2005-3691; reference:cve,2006-1255; classtype:misc-attack; sid:5704; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP STATUS overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491; reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278; reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867; classtype:misc-attack; sid:3072; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP command overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11675; reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520; reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal buffer overflow attempt"; flow:established,to_server; pcre:"/\sLOGIN\s[^\n]*?\{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]{4})/smi"; content:"LOGIN"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,14718; reference:bugtraq,21724; reference:bugtraq,23810; reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2005-1758; reference:cve,2006-6424; reference:cve,2007-0221; reference:nessus,12532; classtype:misc-attack; sid:1993; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795; reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:34;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP IMAP CRAM-MD5 authentication attempt"; flow:to_server; content:"a001 authenticate cram-md5"; fast_pattern:only; flowbits:set,file.crammd5; flowbits:noalert; metadata:policy max-detect-ips drop, service imap; reference:cve,2007-1675; classtype:protocol-command-decode; sid:43067; rev:2;)