[Snort-sigs] Problems with SID 2161

Sam Evans sam at ...219...
Mon Jun 23 10:38:19 EDT 2003


All:

We've noticed a ton of false positives today with SID 2161.  The rule
reads:

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)

I'm not sure why this is coming up, but we've confirmed with our Email
administrators that the documents being sent out were not infected with
any sort of Virus.

Has anyone else seen this behavior with this SID ?

Thanks,
Sam






More information about the Snort-sigs mailing list