[Snort-sigs] Problems with SID 2161

Brian bmc at ...95...
Mon Jun 23 14:22:58 EDT 2003


On Mon, Jun 23, 2003 at 01:37:17PM -0400, Sam Evans wrote:
> We've noticed a ton of false positives today with SID 2161.  The rule
> reads:
> 
> alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)
> 
> I'm not sure why this is coming up, but we've confirmed with our Email
> administrators that the documents being sent out were not infected with
> any sort of Virus.
> 
> Has anyone else seen this behavior with this SID ?

Yep.  When .doc files are transfered via email.  If you allow that,
then turn the rule off.  Be forewarned that a number of virus
implementations use vulnerabilities in Microsoft word for propagation.

If you want real virus protection, install a virus scanner on your
mail server.  Using snort to detect virus infections is a stop-gap at
best.

-brian




More information about the Snort-sigs mailing list