[Snort-users] VIRUS OUTBOUND .pif file attachment
erek at ...950...
Fri Sep 5 10:52:25 EDT 2003
On Fri, 5 Sep 2003, Stevo wrote:
> When I click on the details of the event this is what I see (the email must
> have cut off this section):
> So this shows the email being send from extra at ...10027... to
> corporate at ...10038... (which is our email domain). So the email is actually
> from an outside source and being send inbound??
> This is where I'm getting confused!
I've broken this up for easier redability.
> 1BDYB01 ([22.214.171.124]) by intranet1.renditionnetworks.com with
> Microsoft SMTPSVC(5.0.2195.6713)
> Wed, 3 Sep 2003 10:02:04 -0700
> From: <extra at ...10027...>
> To: <corporate at ...10038...>
According to that, the email is _from_ ediets. Not from you. Why? Lets
Lets look at the rule:
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
.pif file attachment"; flow:to_server,established;
content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
within:30; content:".pif|22|"; distance:0; within:30; nocase;
classtype:suspicious-filename-detect; sid:721; rev:4;)
Now, That rule works--If you have your variables set right. I'm going to
guess that you have:
var HOME_NET any
var EXTERNAL_NET any
In your snort.conf. After that, SMTP_SERVERS gets set to the same as
HOME_NET. So what that rule really reads is something like "from any to
any on port 25..."
Fix? Change your snort.conf:
var HOME_NET 10.10.10.0/24 (or whatver network you want to watch)
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the
That should help reduce the number of false postives that you see. Oh,
and don't forget to restart Snort.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users