[Snort-users] VIRUS OUTBOUND .pif file attachment

Erek Adams erek at ...950...
Fri Sep 5 10:52:25 EDT 2003

On Fri, 5 Sep 2003, Stevo wrote:

> When I click on the details of the event this is what I see (the email must
> have cut off this section):
> So this shows the email being send from extra at ...10027... to
> corporate at ...10038... (which is our email domain).  So the email is actually
> from an outside source and being send inbound??
> This is where I'm getting confused!

I've broken this up for easier redability.

> 1BDYB01 ([]) by intranet1.renditionnetworks.com with
>   Microsoft SMTPSVC(5.0.2195.6713)
> Wed, 3 Sep 2003 10:02:04 -0700
> From: <extra at ...10027...>
> To: <corporate at ...10038...>
> Subject:


According to that, the email is _from_ ediets.  Not from you.  Why?  Lets

Lets look at the rule:

  alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
  .pif file attachment"; flow:to_server,established;
  content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
  within:30; content:".pif|22|"; distance:0; within:30; nocase;
  classtype:suspicious-filename-detect; sid:721; rev:4;)

Now, That rule works--If you have your variables set right.  I'm going to
guess that you have:

	var HOME_NET any

In your snort.conf.  After that, SMTP_SERVERS gets set to the same as
HOME_NET.  So what that rule really reads is something like "from any to
any on port 25..."

Fix?  Change your snort.conf:

	var HOME_NET (or whatver network you want to watch)

And possibly:

	var SMTP_SERVERS (or whatever the IP of the

That should help reduce the number of false postives that you see.  Oh,
and don't forget to restart Snort.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list