False positive in sig 3550

gpoer · ‎10-01-2003

Using eudora and Secure Pop we are getting false positives on signature 3550.

You can tell in the Hex output that the traffic is encrypted.

Any thoughts on how I could tune this to not generate false positives?

thanks,

geoff

here is a log snip:

NEWLOG.log.200309302317:4,5247951,2003/10/01,06:22:40,2003/09/30,23:22:40,10008,3,100,OUT,IN,5,3550,0,TCP/IP,68.xxx.yyy.zzz,www.xxx.yyy.zzz,1085,110,0.0.0.0,pop buffer overflow,CEA33AE83434C0BC8916FB9A782419CA7CD49D7476802B1C01D5E4A26418CF91F692222A5A69E8EB4C372200F2C42844EE31E314AB461090C4C52D6104CB60F50875C88F12E7F22D1AC79CF0EC2330B70998BB811BA615E4CA921F925FEBABAA3CFBA80FE7A8171DD5A51A500914CE1496557A8BAD6742A09816953951D58E140300000101160300004052FA6106A71EB5C8EA7F1C465C2FB6A48BCB08C935E577E61B984723B92FBC259D42F53ECFC2D95AF3C8FD407696796E0EA8C1B55BF81A5F8B98700BB8F3B91917030000285E5FF7D269C48E4DD14BE9C0D7EDD848115C784825A74A797DD98A53189D4CE4304D9F4CC0751DA9170300002831865F0AZZ1911B8D3C7A0B4034026023E099CE112B3D15AF637A5B76103B65B16693BC644080C88530C6B9749C73E35DC6CB9BBAADF5CBB3A2F9360B6A94B4DF220F7CD5F7F647B8EDC005CD7FA77CA3916596F0EEAD3B5837F4D4D425676B4C95F04F838F8EBD25F755FCD7BFCE58E807CFC5016030000040E00000014030000010116030000401CD437D0D11D69FD8C51A6CF125F17D3C0B2F741EBCDF31701C911323187D8C24EEA46FAA1B7D8D434E615F4B9DC90DE6DC99328F04DD9051B04A125A378EC881703000038C85FAC685D177880F944450D393806F8F6F87D4BEA1E4FC05479030D4D48F23B56FEF2B5D9D42204B77B1C8F0C36D0B780062CF1B68C1F53

mcerha · ‎10-02-2003

The vulnerability for 3550 is quite old. I would recommend that you filter out the server as a destination if you're sure it's not a vulnerable version of POP.