[Snort-users] VIRUS OUTBOUND .pif file attachment

Erek Adams erek at ...950...
Fri Sep 5 10:52:25 EDT 2003


On Fri, 5 Sep 2003, Stevo wrote:

> When I click on the details of the event this is what I see (the email must
> have cut off this section):
>
> So this shows the email being send from extra at ...10027... to
> corporate at ...10038... (which is our email domain).  So the email is actually
> from an outside source and being send inbound??
>
> This is where I'm getting confused!

I've broken this up for easier redability.

> 1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with
>   Microsoft SMTPSVC(5.0.2195.6713)
> Wed, 3 Sep 2003 10:02:04 -0700
> From: <extra at ...10027...>
> To: <corporate at ...10038...>
> Subject:

[...snip...]

According to that, the email is _from_ ediets.  Not from you.  Why?  Lets
see...

Lets look at the rule:

  alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
  .pif file attachment"; flow:to_server,established;
  content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
  within:30; content:".pif|22|"; distance:0; within:30; nocase;
  classtype:suspicious-filename-detect; sid:721; rev:4;)

Now, That rule works--If you have your variables set right.  I'm going to
guess that you have:

	var HOME_NET any
	var EXTERNAL_NET any

In your snort.conf.  After that, SMTP_SERVERS gets set to the same as
HOME_NET.  So what that rule really reads is something like "from any to
any on port 25..."

Fix?  Change your snort.conf:

	var HOME_NET 10.10.10.0/24 (or whatver network you want to watch)
	var EXTERNAL_NET !$HOME_NET

And possibly:

	var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the
mailserver)

That should help reduce the number of false postives that you see.  Oh,
and don't forget to restart Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list