[Snort-users] VIRUS OUTBOUND .pif file attachment

Stevo checkpoint at ...9765...
Mon Sep 8 19:26:03 EDT 2003


Erek,

Good suggestions - I had my SMTP_Servers and Home_NET variables setup
correctly, but the External_Net was defined as ANY.  I changed that to
!$HOME_NET and we seem to be back in business!!  Whew...

Thanks

Stevo

----- Original Message -----
From: "Erek Adams" <erek at ...950...>
To: "Stevo" <checkpoint at ...9765...>
Cc: "Erek Adams" <erek at ...950...>; <snort-users at lists.sourceforge.net>
Sent: Friday, September 05, 2003 10:47 AM
Subject: Re: [Snort-users] VIRUS OUTBOUND .pif file attachment


> On Fri, 5 Sep 2003, Stevo wrote:
>
> > When I click on the details of the event this is what I see (the email
must
> > have cut off this section):
> >
> > So this shows the email being send from extra at ...10027... to
> > corporate at ...10038... (which is our email domain).  So the email is
actually
> > from an outside source and being send inbound??
> >
> > This is where I'm getting confused!
>
> I've broken this up for easier redability.
>
> > 1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with
> >   Microsoft SMTPSVC(5.0.2195.6713)
> > Wed, 3 Sep 2003 10:02:04 -0700
> > From: <extra at ...10027...>
> > To: <corporate at ...10038...>
> > Subject:
>
> [...snip...]
>
> According to that, the email is _from_ ediets.  Not from you.  Why?  Lets
> see...
>
> Lets look at the rule:
>
>   alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
>   .pif file attachment"; flow:to_server,established;
>   content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
>   within:30; content:".pif|22|"; distance:0; within:30; nocase;
>   classtype:suspicious-filename-detect; sid:721; rev:4;)
>
> Now, That rule works--If you have your variables set right.  I'm going to
> guess that you have:
>
> var HOME_NET any
> var EXTERNAL_NET any
>
> In your snort.conf.  After that, SMTP_SERVERS gets set to the same as
> HOME_NET.  So what that rule really reads is something like "from any to
> any on port 25..."
>
> Fix?  Change your snort.conf:
>
> var HOME_NET 10.10.10.0/24 (or whatver network you want to watch)
> var EXTERNAL_NET !$HOME_NET
>
> And possibly:
>
> var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the
> mailserver)
>
> That should help reduce the number of false postives that you see.  Oh,
> and don't forget to restart Snort.
>
> Cheers!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>






More information about the Snort-users mailing list