[Snort-users] VIRUS OUTBOUND .pif file attachment

Stevo checkpoint at ...9765...
Fri Sep 5 10:05:03 EDT 2003


Erek,

When I click on the details of the event this is what I see (the email must
have cut off this section):

So this shows the email being send from extra at ...10027... to
corporate at ...10038... (which is our email domain).  So the email is actually
from an outside source and being send inbound??

This is where I'm getting confused!

--Stevo


1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with
Microsoft SMTPSVC(5.0.2195.6713);... Wed, 3 Sep 2003 10:02:04 -0
700..From: <extra at ...10027...>..To: <corporate at ...10038...>..Subje
ct: Thank you!..Date: Wed, 3 Sep 2003 13:14:44 --0400..X-MailSca
nner: Found to be clean..Importance: Normal..X-Mailer: Microsoft
 Outlook Express 6.00.2600.0000..X-MSMail-Priority: Normal..X-Pr
iority: 3 (Normal)..MIME-Version: 1.0..Content-Type: multipart/m
ixed;...boundary="_NextPart_000_060CCF5D"..Return-Path: extra at ...10039...
iets.com..Message-ID: <INTRANET1CsUiivWd2Y000036a7 at ...10040...
ditionnetworks.com>..X-OriginalArrivalTime: 03 Sep 2003 17:02:05
.0176 (UTC) FILETIME=[1A073F80:01C3723D]....This
 is a multipart message in MIME format....--_NextPart_000_060CCF
5D..Content-Type: text/plain;...charset="iso-8859-1"..Content-Tr
ansfer-Encoding: 7bit....Please see the attached file for detail
s...--_NextPart_000_060CCF5D..Content-Type: application/octet-st
ream;...name="application.pif"..Content-Transfer-Encoding: base6
4..Content-Disposition: attachment;...filename="application.pif"
....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIG
Nhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAADToEjPl8EmnJfB
JpyXwSacFN0onI3BJpx/3iyc7cEmnMHeNZyawSacl8Em..nJTBJpyXwSecBsEmnP
XeNZyawSacf94tnI3BJpxSaWNol8EmnAAAAAAAAAAAAAAAAAAAAA

----- Original Message -----
From: "Erek Adams" <erek at ...950...>
To: "Stevo" <checkpoint at ...9765...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 10:09 PM
Subject: Re: [Snort-users] VIRUS OUTBOUND .pif file attachment


> On Thu, 4 Sep 2003, Stevo wrote:
>
> > Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment
rule.
> > I'm seeing a billion of these in my logs and don't really understand the
> > rule.  My mail server is 63.145.201.15 and from the rule it appears that
my
> > mail server is connecting to other mail servers on port 25 and Snort is
> > picking up that I'm sending a .pif file attachment.
> >
> > [snort] VIRUS OUTBOUND .pif file attachment        2003-09-03 10:00:06
> > 63.145.201.15:29180        216.144.69.88:25        TCP
> >
> > However...
> >
> > When I look at the details for the event it appears that the email is
from
> > an outside domain and being sent into our email domain... see below...
from
> > extra at ...10027... to corporate at ...10028...  Imandi.com is our email
domain,
> > so this message is actually being sent inbound!  Am I understanding this
> > correctly??
>
> Well, I'm guessing you forgot to add whatever was to be 'below'.  :)
>
> From what you posted, your server (.15) connected to .88 and sent an
> email with the .pif as part of it.  Everything there matches with what you
> show.
>
> Am I not understanding what the issue is?
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson
>






More information about the Snort-users mailing list