[Snort-sigs] Problems with SID 2161

Steven Alexander alexander.s at ...1565...
Mon Jun 23 11:27:19 EDT 2003


This signature isn't looking for any particular virus or piece of
virus-like code.  The signature looks at outgoing emails to see if they
have a .doc file attached.  .doc files are one of several file types
that can contain viruses.  Snort flags other types as well.  The
signature is functioning in the way that it should.  You can disable it
to reduce false positives. 

-steven

> -----Original Message-----
> From: Sam Evans [mailto:sam at ...219...] 
> Sent: Monday, June 23, 2003 10:37 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Problems with SID 2161
> 
> 
> All:
> 
> We've noticed a ton of false positives today with SID 2161.  The rule
> reads:
> 
> alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS 
> OUTBOUND .doc file attachment"; flow:to_server,established; 
> content:"Content-Disposition|3a|"; content:"filename=|22|"; 
> distance:0; within:30; content:".doc|22|"; distance:0; 
> within:30; nocase; classtype:suspicious-filename-detect; 
> sid:2161; rev:1;)
> 
> I'm not sure why this is coming up, but we've confirmed with 
> our Email administrators that the documents being sent out 
> were not infected with any sort of Virus.
> 
> Has anyone else seen this behavior with this SID ?
> 
> Thanks,
> Sam
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU 
> Hosting Partner. Refer Dedicated Servers. We Manage Them. You 
> Get 10% Monthly Commission! INetU Dedicated Managed Hosting 
> http://www.inetu.net/partner/index.php
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/s> nort-sigs
> 




More information about the Snort-sigs mailing list