Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Signature ID 3109

I seem to get many hits on this signature "Qmail crash" to and from mail servers--TAC was unable to provide meaty details on what causes the signature, anyone run across continuous 3109 hits, I get them every day and treat them as benign..

7 REPLIES
Cisco Employee

Re: Signature ID 3109

Your TAC engineer has emailed the developers overnight to get more information on this signature for you. He will get back to you when the developers give him an answer. I'll keep an eye out for it also and post the response here so others can see the reply.

New Member

Re: Signature ID 3109

thanks, i'll look out for replies..

New Member

Re: Signature ID 3109

I see it all the time, but haven't made the time to investigate it. Let me know what you find.

Cisco Employee

Re: Signature ID 3109

Here's the reply straight from the guys that write the code:

------------------------------------------------------------------------

Signature 3109 looks for an excessively long (1000+ characters) SMTP

command. There is a DoS against an older version of QMail where an

attacker could crash the mail service by sending a long SMTP command.

There has been a problem in the past with this signature producing false

positives. If the sensor missed a crucial packet in a SMTP session

(because of an overloaded sensor, assymetric routing, etc), it would not

properly transition out the SMTP command state. So, the sensor would

continue to inspect the data state of an SMTP session as if it were still

looking for commands, not data. With HTML rich email, you can observe lines over

1000 characters in the data. This is normal, but the sensor would

incorrectly interpret this an SMTP command firing a 3109. Logic has been

added to the most recent 3.1 sensor code (service pack 3) to help combat

the problem of missing packets. Please make sure the customer is running

the latest code as this problem should be corrected. If they are still

experiencing these alarms with the latest code, please let know.

---------------------------------------------------------------

If you are experiencing this message even after upgrading to 3.1(3)Sxx then I would suggest letting your TAC engineer know about it, or add filters onto your IDS system so that you don't see these anymore.

New Member

Re: Signature ID 3109

Our IDS senors also see very high counts of this signature. We are running 3.1(3)S35. In the past 5 hours, we have recorded 485 events for the Qmail Length Crash signature. Upon inspecting the context, it appears to be normal email communication. It looks as though the email may be non-text, meaning some Outlook richtext or even HTML formatted. Might this be the cause of the false alarm?

Below is the context from one of the alarms:

------------------------------------------------------------

Atacker Context:

says stuff back to her, and so on and so on well i have a ton of clothes to do so i need to go love you always gloria


MSN 8 helps http://g.msn.com/8HMTEN/2020>ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*.

------------------------------------------------------------

Another set of context seems completely normal to me:

------------------------------------------------------------

Attacker Context:

y though because maybe i can get all my cleaning and stuff done when we are thru christmas shopping because no one will be home to bug me and then i can finish it up on saturday morning and MAYBE come up saturday afternoon/evening - we will have to see..

------------------------------------------------------------

We cannot determine why this signature is firing so many false positive and are most likely going to disable it across all sensors.

New Member

Re: Signature ID 3109

yes, i think i'll be filtering out signature 3109

Cisco Employee

Re: Signature ID 3109

Certainly if you're not running QMail then there's no danger of filtering out or disabling this alarm. I've let the developers know that customers are still seeing this.

157
Views
0
Helpful
7
Replies