<div dir="ltr">Sean;<div><br></div><div>I'm familiar with Suricata's SMTP and MIME code.  If you can provide a pcap containing the offending traffic I can take a look.  Send the pcap off list for the pcap if necessary.</div><div><br></div><div>Tom</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 12, 2017 at 10:43 AM Cloherty, Sean E <<a href="mailto:scloherty@mitre.org">scloherty@mitre.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="#0563C1" vlink="#954F72" class="gmail_msg">
<div class="m_-2415603067348839727WordSection1 gmail_msg">
<p class="m_-2415603067348839727MsoPlainText gmail_msg">I've done some additional testing by enabling some of the Suricata rules on a test server and I see the following.  Anyone have input on what can cause them to fire ? (This is Suricata 3.2 on CentOS 7.2) .  Thes are from diffrerent flows
 at different times but these rules are firing frequently.<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><i class="gmail_msg">External source to an internal host:<u class="gmail_msg"></u><u class="gmail_msg"></u></i></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg">idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding failed [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><i class="gmail_msg">Internal to internal traffic:<u class="gmail_msg"></u><u class="gmail_msg"></u></i></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg">idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined sequence [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><i class="gmail_msg">Internal to internal traffic:<u class="gmail_msg"></u><u class="gmail_msg"></u></i></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg">idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="m_-2415603067348839727MsoPlainText gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg">Sean Cloherty<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg">InfoSec Engineer/Scientist, Lead<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg"><span style="font-family:MITRE;color:#2e74b5" class="gmail_msg">MITRE</span> Corporation<u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg">office <a href="tel:(781)%20271-3707" value="+17812713707" class="gmail_msg" target="_blank">(781) 271-3707</a><u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg">cell      <a href="tel:(781)%20697-8043" value="+17816978043" class="gmail_msg" target="_blank">(781) 697-8043</a><u class="gmail_msg"></u><u class="gmail_msg"></u></p>
<p class="MsoNormal gmail_msg"><u class="gmail_msg"></u> <u class="gmail_msg"></u></p>
</div>
</div>

_______________________________________________<br class="gmail_msg">
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="gmail_msg" target="_blank">oisf-users@openinfosecfoundation.org</a><br class="gmail_msg">
Site: <a href="http://suricata-ids.org" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" class="gmail_msg" target="_blank">http://suricata-ids.org/support/</a><br class="gmail_msg">
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="gmail_msg">
</blockquote></div>