[Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

Cloherty, Sean E scloherty at mitre.org
Tue Jul 19 20:47:27 UTC 2016


Hello all.

We've been a bit confounded by some of our rules not alerting.  The commonality is that they use file_data and it is looking for SMTP traffic. This is essentially what an example of what the simplest of these rules contains:

tcp any any -> $HOME_NET 25 (sid:xxxxxxx; gid:1; msg:"Test Mail"; file_data; content:"%PDF-1.4 Foo"; classtype:string-detect; rev:1; reference:Test;)

We have both Snort and Suricata running on one segment using the same rule set. Snort fires and Suricata doesn't when this traffic passes the sensors.  My colleague took some pcap of the traffic in question and ran it on our test box and got the same results - fires in Snort, not in Suricata.

As a further test, we enabled the EVE logging (currently only using unified format for Barnyard2 and FAST.LOG) and the traffic was there in the EVE logs.  That is a good sign, but is even more puzzling since there is no record of an alert in the fast.log nor in the barnyard spooled logs.

We are running 3.0.1 on Centos 7, and running in AF-PACKET workers mode, smtp is enabled as are the MIME-decoding features.

Any suggestions of where else to look would be appreciated.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160719/e46bde9c/attachment-0001.html>


More information about the Oisf-users mailing list