Re: POP Buffer Overflow
- From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 03 May 2002 06:59:09 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 06:41 AM 5/3/2002, you wrote:
>I only find this in the event log on the ISA server.
>
>Event Type: Warning
>Event Source: ISS Filter
>Event Category: None
>Event ID: 6
>Date: 4/30/2002
>Time: 5:32:00 PM
>User: N/A
>Computer: PATHFINDER
>Description:
>POP buffer overflow detected from 209.94.202.69:1617 to 206.X.X.X:110
>
>Chris
Basically, the POP Intrusion Detection filter (on by default) is picking up
what it considers to be a an attack against a POP3 server. Many different
servers have had issues where very long commands submitted to the server
could cause a buffer overrun- depending on the situation, successful
attacks would result in things like DoS or remote code execution.
The client at the above IP is submitting data that the filter thinks could
be hostile, so it is filtering it out. I could not find any information on
what criteria the filter uses to make this determination, but since it was
written by ISS, they may have some more information on it. It is too bad
that ISA does not provide more information than it does- the data that
caused the trigger really should be written to a log somewhere. Kind of
like the SMTP traps- they tell you the command that caused the trigger, but
don't tell you where it came from :(.
HTH some...
ttyt
T
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPNKXrYhsmyD15h5gEQLCBwCfU2W3oIv4WkbV4lDqwq3VDvqotngAnjOJ
Ld0AZAJvsELh2Aa7NdO6QxKK
=awCs
-----END PGP SIGNATURE-----
Other related posts:
