Snort mailing list archives

Re: VIRUS OUTBOUND .pif file attachment

From: Erek Adams <erek () snort org>
Date: Fri, 5 Sep 2003 13:47:58 -0400 (EDT)

On Fri, 5 Sep 2003, Stevo wrote:

When I click on the details of the event this is what I see (the email must
have cut off this section):

So this shows the email being send from extra () eDiets com to
corporate () imandi com (which is our email domain).  So the email is actually
from an outside source and being send inbound??

This is where I'm getting confused!


I've broken this up for easier redability.

1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with
  Microsoft SMTPSVC(5.0.2195.6713)
Wed, 3 Sep 2003 10:02:04 -0700
From: <extra () eDiets com>
To: <corporate () imandi com>
Subject:


[...snip...]

According to that, the email is _from_ ediets.  Not from you.  Why?  Lets
see...

Lets look at the rule:

  alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND
  .pif file attachment"; flow:to_server,established;
  content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
  within:30; content:".pif|22|"; distance:0; within:30; nocase;
  classtype:suspicious-filename-detect; sid:721; rev:4;)

Now, That rule works--If you have your variables set right.  I'm going to
guess that you have:

        var HOME_NET any
        var EXTERNAL_NET any

In your snort.conf.  After that, SMTP_SERVERS gets set to the same as
HOME_NET.  So what that rule really reads is something like "from any to
any on port 25..."

Fix?  Change your snort.conf:

        var HOME_NET 10.10.10.0/24 (or whatver network you want to watch)
        var EXTERNAL_NET !$HOME_NET

And possibly:

        var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the
mailserver)

That should help reduce the number of false postives that you see.  Oh,
and don't forget to restart Snort.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VIRUS OUTBOUND .pif file attachment Stevo (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Brian (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 04)
  - Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)
    - Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 05)
    - Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 08)