Signature 3529-0 false positives

Unanswered Question
Jan 6th, 2006
User Badges:
  • Blue, 1500 points or more

This signature triggers on a normal EXAMINE INBOX command. Won't the following regex fire on any imap EXAMINE command and not just "examine..256+"? Can this be combined with the "min match length" to fix?


[0-9][\x20][Ee][Xx][Aa][Mm][Ii][Nn][Ee][\x20][^\x0a\x0d]+[\x0a\x0d]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rupadras Fri, 01/06/2006 - 14:48
User Badges:
  • Cisco Employee,

Thank you for bringing this to our attention. Yes, the Min Match Length parameter should be used. We will release a modified signature in an upcoming release.

Actions

This Discussion