[Snort-users] VIRUS OUTBOUND .pif file attachment
Erek Adams
erek at ...950...
Fri Sep 5 10:52:25 EDT 2003
On Fri, 5 Sep 2003, Stevo wrote:
> When I click on the details of the event this is what I see (the email must
> have cut off this section):
>
> So this shows the email being send from extra at ...10027... to
> corporate at ...10038... (which is our email domain). So the email is actually
> from an outside source and being send inbound??
>
> This is where I'm getting confused!
I've broken this up for easier redability.
> 1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with
> Microsoft SMTPSVC(5.0.2195.6713)
> Wed, 3 Sep 2003 10:02:04 -0700
> From: <extra at ...10027...>
> To: <corporate at ...10038...>
> Subject:
[...snip...]
According to that, the email is _from_ ediets. Not from you. Why? Lets
see...
Lets look at the rule:
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
.pif file attachment"; flow:to_server,established;
content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
within:30; content:".pif|22|"; distance:0; within:30; nocase;
classtype:suspicious-filename-detect; sid:721; rev:4;)
Now, That rule works--If you have your variables set right. I'm going to
guess that you have:
var HOME_NET any
var EXTERNAL_NET any
In your snort.conf. After that, SMTP_SERVERS gets set to the same as
HOME_NET. So what that rule really reads is something like "from any to
any on port 25..."
Fix? Change your snort.conf:
var HOME_NET 10.10.10.0/24 (or whatver network you want to watch)
var EXTERNAL_NET !$HOME_NET
And possibly:
var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the
mailserver)
That should help reduce the number of false postives that you see. Oh,
and don't forget to restart Snort.
Cheers!
-----
Erek Adams
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users
mailing list