[Oisf-users] Rules with file_data SMTP not firing on SMTP traffic
Victor Julien
lists at inliniac.net
Tue Jul 19 22:39:11 UTC 2016
On 19-07-16 22:47, Cloherty, Sean E wrote:
> We’ve been a bit confounded by some of our rules not alerting. The
> commonality is that they use file_data and it is looking for SMTP
> traffic. This is essentially what an example of what the simplest of
> these rules contains:
>
>
>
> tcp any any -> $HOME_NET 25 (sid:xxxxxxx; gid:1; msg:"Test Mail";
> file_data; content:"%PDF-1.4 Foo"; classtype:string-detect; rev:1;
> reference:Test;)
>
>
>
> We have both Snort and Suricata running on one segment using the same
> rule set. Snort fires and Suricata doesn’t when this traffic passes the
> sensors. My colleague took some pcap of the traffic in question and ran
> it on our test box and got the same results – fires in Snort, not in
> Suricata.
>
>
>
> As a further test, we enabled the EVE logging (currently only using
> unified format for Barnyard2 and FAST.LOG) and the traffic was there in
> the EVE logs. That is a good sign, but is even more puzzling since
> there is no record of an alert in the fast.log nor in the barnyard
> spooled logs.
>
>
>
> We are running 3.0.1 on Centos 7, and running in AF-PACKET workers mode,
> smtp is enabled as are the MIME-decoding features.
>
>
>
> Any suggestions of where else to look would be appreciated.
>
Quite a few improvements were made for smtp file inspection in 3.1, so I
would suggest trying 3.1.1.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list