[Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

Cloherty, Sean E scloherty at mitre.org
Wed Aug 3 13:40:09 UTC 2016

The suggested upgrade did resolve some of our issues, but there is still one SMTP issue that we haven't been able to solve regarding hex bytes.

Suricata is not triggering on detection for SMTP when using file_data option looking for hex bytes. For example I want to look for file_data and the bytes ab cd ef gh

Has anoyone else run into this?

-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, July 19, 2016 18:39 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

On 19-07-16 22:47, Cloherty, Sean E wrote:
> We’ve been a bit confounded by some of our rules not alerting.  The 
> commonality is that they use file_data and it is looking for SMTP 
> traffic. This is essentially what an example of what the simplest of 
> these rules contains:
> tcp any any -> $HOME_NET 25 (sid:xxxxxxx; gid:1; msg:"Test Mail"; 
> file_data; content:"%PDF-1.4 Foo"; classtype:string-detect; rev:1;
> reference:Test;)
> We have both Snort and Suricata running on one segment using the same 
> rule set. Snort fires and Suricata doesn’t when this traffic passes 
> the sensors.  My colleague took some pcap of the traffic in question 
> and ran it on our test box and got the same results – fires in Snort, 
> not in Suricata.
> As a further test, we enabled the EVE logging (currently only using 
> unified format for Barnyard2 and FAST.LOG) and the traffic was there 
> in the EVE logs.  That is a good sign, but is even more puzzling since 
> there is no record of an alert in the fast.log nor in the barnyard 
> spooled logs.
> We are running 3.0.1 on Centos 7, and running in AF-PACKET workers 
> mode, smtp is enabled as are the MIME-decoding features.
> Any suggestions of where else to look would be appreciated.

Quite a few improvements were made for smtp file inspection in 3.1, so I would suggest trying 3.1.1.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

More information about the Oisf-users mailing list