[Snort-sigs] Problems with SID 2161
bmc at ...95...
Mon Jun 23 14:22:58 EDT 2003
On Mon, Jun 23, 2003 at 01:37:17PM -0400, Sam Evans wrote:
> We've noticed a ton of false positives today with SID 2161. The rule
> alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".doc|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:1;)
> I'm not sure why this is coming up, but we've confirmed with our Email
> administrators that the documents being sent out were not infected with
> any sort of Virus.
> Has anyone else seen this behavior with this SID ?
Yep. When .doc files are transfered via email. If you allow that,
then turn the rule off. Be forewarned that a number of virus
implementations use vulnerabilities in Microsoft word for propagation.
If you want real virus protection, install a virus scanner on your
mail server. Using snort to detect virus infections is a stop-gap at
More information about the Snort-sigs