[Snort-sigs] Problems with SID 2161
sam at ...219...
Mon Jun 23 10:38:19 EDT 2003
We've noticed a ton of false positives today with SID 2161. The rule
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)
I'm not sure why this is coming up, but we've confirmed with our Email
administrators that the documents being sent out were not infected with
any sort of Virus.
Has anyone else seen this behavior with this SID ?
More information about the Snort-sigs