[Snort-sigs] Problems with SID 2161

Sam Evans sam at ...219...
Mon Jun 23 10:38:19 EDT 2003


We've noticed a ton of false positives today with SID 2161.  The rule

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)

I'm not sure why this is coming up, but we've confirmed with our Email
administrators that the documents being sent out were not infected with
any sort of Virus.

Has anyone else seen this behavior with this SID ?


More information about the Snort-sigs mailing list