[Oisf-users] Suricata SMTP Rules Fired - Now What...?
Cloherty, Sean E
scloherty at mitre.org
Wed Feb 22 20:41:25 UTC 2017
I've not been able to reliably create a PCAP which to share which illustrates the problem.
However - the post by Clark Kent is a very good description of my SMTP attachment problem, but stated much more clearly than I was able to do.
Oddly - when testing - I created three file rules - one each for smtp, tcp, and http (this is for an http attachment in an http formatted email.
Only the tcp alert worked. Not sure if that is relevant.
-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com]
Sent: Thursday, January 26, 2017 08:25 AM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: Andreas Herz <andi at geekosphere.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
On Fri, Jan 13, 2017 at 11:26 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> "Without the traffic it's hard to tell if it's false positive or correct matches."
>
> - Agreed - but since we've been struggling to get SMTP rules to work in Suricata, I would lean towards these alerts being related, if not indicators of some underlying issue dogging our SMTP rules. Notably, the rules failing are content matches on Base64 encoded attachments.
>
Sean you mentioned during the training in Sunnyvale that there might be a relevant pcap that would be possible to share?
> Description / configuration
>
> I've attached my yaml and the startup script.
>
> Server is running CentOS 7.2 / 3.10.0-327.36.3.el7.x86_64
> 128 GB RAM / 32 CPU Threads / Intel(R) Xeon(R) CPU E5-2640 v3 @
> 2.60GHz I am using CPU affinity to allow workers only on the cpus in
> the same NUMA as the NIC (thank you Peter!) NIC = Intel Corporation
> 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) (Intel 10Gb -
> ixgbe 4.4.6 drivers)
>
>
>
>
> -----Original Message-----
> From: Oisf-users
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf
> Of Andreas Herz
> Sent: Friday, January 13, 2017 16:16 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
>
> On 13/01/17 at 17:50, Cloherty, Sean E wrote:
>> Thanks Tom. I appreciate your offer, but since this is email and
>> there is PII etc., I am not sure that is in the cards. Need another
>> way to skin this cat.
>
> Without the traffic it's hard to tell if it's false positive or correct matches.
>
>> Are there server, suricata compile errors, or suricata.yaml
>> configuration values which I should check to eliminate the most
>> likely causes?
>
> You could describe your setup more, how you run suricata, in which mode and what you did configure (beside defaults).
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list