Snort mailing list archives
Re: VIRUS OUTBOUND .pif file attachment
From: "Stevo" <checkpoint () ozbergs com>
Date: Fri, 5 Sep 2003 11:28:32 -0700
Erek, Good suggestions - I had my SMTP_Servers and Home_NET variables setup correctly, but the External_Net was defined as ANY. I changed that to !$HOME_NET and we seem to be back in business!! Whew... Thanks Stevo ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: "Stevo" <checkpoint () ozbergs com> Cc: "Erek Adams" <erek () snort org>; <snort-users () lists sourceforge net> Sent: Friday, September 05, 2003 10:47 AM Subject: Re: [Snort-users] VIRUS OUTBOUND .pif file attachment
On Fri, 5 Sep 2003, Stevo wrote:When I click on the details of the event this is what I see (the email
must
have cut off this section): So this shows the email being send from extra () eDiets com to corporate () imandi com (which is our email domain). So the email is
actually
from an outside source and being send inbound?? This is where I'm getting confused!I've broken this up for easier redability.1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with Microsoft SMTPSVC(5.0.2195.6713) Wed, 3 Sep 2003 10:02:04 -0700 From: <extra () eDiets com> To: <corporate () imandi com> Subject:[...snip...] According to that, the email is _from_ ediets. Not from you. Why? Lets see... Lets look at the rule: alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .pif file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0; within:30; content:".pif|22|"; distance:0; within:30; nocase; classtype:suspicious-filename-detect; sid:721; rev:4;) Now, That rule works--If you have your variables set right. I'm going to guess that you have: var HOME_NET any var EXTERNAL_NET any In your snort.conf. After that, SMTP_SERVERS gets set to the same as HOME_NET. So what that rule really reads is something like "from any to any on port 25..." Fix? Change your snort.conf: var HOME_NET 10.10.10.0/24 (or whatver network you want to watch) var EXTERNAL_NET !$HOME_NET And possibly: var SMTP_SERVERS 10.10.10.15 (or whatever the IP of the mailserver) That should help reduce the number of false postives that you see. Oh, and don't forget to restart Snort. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VIRUS OUTBOUND .pif file attachment Stevo (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Brian (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 08)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)