[Snort-users] VIRUS OUTBOUND .pif file attachment

Stevo checkpoint at ...9765...
Fri Sep 5 10:05:03 EDT 2003


When I click on the details of the event this is what I see (the email must
have cut off this section):

So this shows the email being send from extra at ...10027... to
corporate at ...10038... (which is our email domain).  So the email is actually
from an outside source and being send inbound??

This is where I'm getting confused!


1BDYB01 ([]) by intranet1.renditionnetworks.com with
Microsoft SMTPSVC(5.0.2195.6713);... Wed, 3 Sep 2003 10:02:04 -0
700..From: <extra at ...10027...>..To: <corporate at ...10038...>..Subje
ct: Thank you!..Date: Wed, 3 Sep 2003 13:14:44 --0400..X-MailSca
nner: Found to be clean..Importance: Normal..X-Mailer: Microsoft
 Outlook Express 6.00.2600.0000..X-MSMail-Priority: Normal..X-Pr
iority: 3 (Normal)..MIME-Version: 1.0..Content-Type: multipart/m
ixed;...boundary="_NextPart_000_060CCF5D"..Return-Path: extra at ...10039...
iets.com..Message-ID: <INTRANET1CsUiivWd2Y000036a7 at ...10040...
ditionnetworks.com>..X-OriginalArrivalTime: 03 Sep 2003 17:02:05
.0176 (UTC) FILETIME=[1A073F80:01C3723D]....This
 is a multipart message in MIME format....--_NextPart_000_060CCF
5D..Content-Type: text/plain;...charset="iso-8859-1"..Content-Tr
ansfer-Encoding: 7bit....Please see the attached file for detail
s...--_NextPart_000_060CCF5D..Content-Type: application/octet-st
ream;...name="application.pif"..Content-Transfer-Encoding: base6
4..Content-Disposition: attachment;...filename="application.pif"

----- Original Message -----
From: "Erek Adams" <erek at ...950...>
To: "Stevo" <checkpoint at ...9765...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, September 04, 2003 10:09 PM
Subject: Re: [Snort-users] VIRUS OUTBOUND .pif file attachment

> On Thu, 4 Sep 2003, Stevo wrote:
> > Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment
> > I'm seeing a billion of these in my logs and don't really understand the
> > rule.  My mail server is and from the rule it appears that
> > mail server is connecting to other mail servers on port 25 and Snort is
> > picking up that I'm sending a .pif file attachment.
> >
> > [snort] VIRUS OUTBOUND .pif file attachment        2003-09-03 10:00:06
> >        TCP
> >
> > However...
> >
> > When I look at the details for the event it appears that the email is
> > an outside domain and being sent into our email domain... see below...
> > extra at ...10027... to corporate at ...10028...  Imandi.com is our email
> > so this message is actually being sent inbound!  Am I understanding this
> > correctly??
> Well, I'm guessing you forgot to add whatever was to be 'below'.  :)
> From what you posted, your server (.15) connected to .88 and sent an
> email with the .pif as part of it.  Everything there matches with what you
> show.
> Am I not understanding what the issue is?
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list