[Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

Wed Aug 3 13:48:12 UTC 2016

On Wed, Aug 3, 2016 at 2:40 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> The suggested upgrade did resolve some of our issues, but there is still one SMTP issue that we haven't been able to solve regarding hex bytes.
>
> Suricata is not triggering on detection for SMTP when using file_data option looking for hex bytes. For example I want to look for file_data and the bytes ab cd ef gh
>
> Has anoyone else run into this?

Please feel free to open a bug report with a reproducible case  -
rule/pcap - so we can track it better.

>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Victor Julien
> Sent: Tuesday, July 19, 2016 18:39 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Rules with file_data SMTP not firing on SMTP traffic
>
> On 19-07-16 22:47, Cloherty, Sean E wrote:
>> We’ve been a bit confounded by some of our rules not alerting.  The
>> commonality is that they use file_data and it is looking for SMTP
>> traffic. This is essentially what an example of what the simplest of
>> these rules contains:
>>
>>
>>
>> tcp any any -> $HOME_NET 25 (sid:xxxxxxx; gid:1; msg:"Test Mail";
>> file_data; content:"%PDF-1.4 Foo"; classtype:string-detect; rev:1;
>> reference:Test;)
>>
>>
>>
>> We have both Snort and Suricata running on one segment using the same
>> rule set. Snort fires and Suricata doesn’t when this traffic passes
>> the sensors.  My colleague took some pcap of the traffic in question
>> and ran it on our test box and got the same results – fires in Snort,
>> not in Suricata.
>>
>>
>>
>> As a further test, we enabled the EVE logging (currently only using
>> unified format for Barnyard2 and FAST.LOG) and the traffic was there
>> in the EVE logs.  That is a good sign, but is even more puzzling since
>> there is no record of an alert in the fast.log nor in the barnyard
>> spooled logs.
>>
>>
>>
>> We are running 3.0.1 on Centos 7, and running in AF-PACKET workers
>> mode, smtp is enabled as are the MIME-decoding features.
>>
>>
>>
>> Any suggestions of where else to look would be appreciated.
>>
>
> Quite a few improvements were made for smtp file inspection in 3.1, so I would suggest trying 3.1.1.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-- 
Regards,
Peter Manev