[Oisf-users] Suricata SMTP Rules Fired - Now What...?

Cloherty, Sean E scloherty at mitre.org
Wed Feb 22 20:41:25 UTC 2017


I've not been able to reliably create a PCAP which to share which illustrates the problem.

However - the post by Clark Kent is a very good description of my SMTP attachment problem, but stated much more clearly than I was able to do.

Oddly - when testing - I created three file rules - one each for smtp, tcp, and http (this is for an http attachment in an http formatted email.

Only the tcp alert worked.  Not sure if that is relevant.

-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Thursday, January 26, 2017 08:25 AM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: Andreas Herz <andi at geekosphere.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?

On Fri, Jan 13, 2017 at 11:26 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> "Without the traffic it's hard to tell if it's false positive or correct matches."
>
> - Agreed - but since we've been struggling to get SMTP rules to work in Suricata, I would lean towards these alerts being related, if not indicators of some underlying issue dogging our SMTP rules.  Notably, the rules failing are content matches on Base64 encoded attachments.
>

Sean you mentioned during the training in Sunnyvale that there might be a relevant pcap that would be possible to share?

> Description / configuration
>
> I've attached my yaml and the startup script.
>
> Server is running CentOS 7.2 / 3.10.0-327.36.3.el7.x86_64
> 128 GB RAM / 32 CPU Threads / Intel(R) Xeon(R) CPU E5-2640 v3 @ 
> 2.60GHz I am using CPU affinity to allow workers only on the cpus in 
> the same NUMA as the NIC (thank you Peter!) NIC = Intel Corporation 
> 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) (Intel 10Gb -  
> ixgbe 4.4.6 drivers)
>
>
>
>
> -----Original Message-----
> From: Oisf-users 
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> Of Andreas Herz
> Sent: Friday, January 13, 2017 16:16 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
>
> On 13/01/17 at 17:50, Cloherty, Sean E wrote:
>> Thanks Tom.  I appreciate your offer, but since this is email and 
>> there is PII etc., I am not sure that is in the cards.  Need another 
>> way to skin this cat.
>
> Without the traffic it's hard to tell if it's false positive or correct matches.
>
>> Are there server, suricata compile errors, or suricata.yaml 
>> configuration values which I should check to eliminate the most 
>> likely causes?
>
> You could describe your setup more, how you run suricata, in which mode and what you did configure (beside defaults).
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



--
Regards,
Peter Manev


More information about the Oisf-users mailing list