[Snort-sigs] Problems with SID 2161

Sam Evans sam at ...219...
Mon Jun 23 14:52:26 EDT 2003


I guess the question then becomes, what is the use of a signature like
this?  To just identify when word documents are being sent out?  That
hardly seems like a good use of resources for a device that is often
constrained as it is.

-Sam

On Mon, 23 Jun 2003, Steven Alexander wrote:

> This signature isn't looking for any particular virus or piece of
> virus-like code.  The signature looks at outgoing emails to see if they
> have a .doc file attached.  .doc files are one of several file types
> that can contain viruses.  Snort flags other types as well.  The
> signature is functioning in the way that it should.  You can disable it
> to reduce false positives.
>
> -steven
>
> > -----Original Message-----
> > From: Sam Evans [mailto:sam at ...219...]
> > Sent: Monday, June 23, 2003 10:37 AM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] Problems with SID 2161
> >
> >
> > All:
> >
> > We've noticed a ton of false positives today with SID 2161.  The rule
> > reads:
> >
> > alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS
> > OUTBOUND .doc file attachment"; flow:to_server,established;
> > content:"Content-Disposition|3a|"; content:"filename=|22|";
> > distance:0; within:30; content:".doc|22|"; distance:0;
> > within:30; nocase; classtype:suspicious-filename-detect;
> > sid:2161; rev:1;)
> >
> > I'm not sure why this is coming up, but we've confirmed with
> > our Email administrators that the documents being sent out
> > were not infected with any sort of Virus.
> >
> > Has anyone else seen this behavior with this SID ?
> >
> > Thanks,
> > Sam
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: INetU
> > Attention Web Developers & Consultants: Become An INetU
> > Hosting Partner. Refer Dedicated Servers. We Manage Them. You
> > Get 10% Monthly Commission! INetU Dedicated Managed Hosting
> > http://www.inetu.net/partner/index.php
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/s> nort-sigs
> >
>




More information about the Snort-sigs mailing list