Network Client Detection

Match patterns that begin with the ^ symbol mean at least one line in the packet payload must begin with the following pattern. Match patterns that begin with the ! symbol indicate that the string must NOT match anything in the packet payload. In this case, the ! and ^ symbols are combined to indicate that NNM should not evaluate any packet whose payload contains a line starting with the pattern Received:.

The ^ is more expensive to evaluate than the > symbol. So, while both match patterns ^<pattern> and ><pattern> would find <pattern> at the beginning of a packet payload, the use of > is more desirable as it is less costly. Use ^ when looking for the occurrence of a string at the beginning of a line, but not at the beginning of the packet payload. In the latter case, use the > character instead.

id=79526

hs_dport=25

clientissue

name=Buffer overflow in multiple IMAP clients

description=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to a boundary condition error whereby a malicious IMAP server may be able to crash or execute code on the client.

solution=Upgrade to either 1.3.1 or 1.4a

risk=HIGH

match=^From:

match=^To:

match=^Date:

match=^User-Agent: Mozilla

match=!^Received:

regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)