[Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

Cloherty, Sean E scloherty at mitre.org
Tue Jan 10 14:47:23 UTC 2017 

I've done some additional testing by enabling some of the Suricata rules on a test server and I see the following which is certainly impacting the rules not firing on attachment content matching.  Any thoughts on causes ? (This is Suricata 3.2 on CentOS 7.2)  

External source to an internal host:

idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding failed [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25

Internal to internal traffic:

idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined sequence [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25

Internal to internal traffic:

idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25

-----Original Message-----
From: Peter Manev [mailto:petermanev at gmail.com] 
Sent: Wednesday, August 03, 2016 09:48 AM
To: Cloherty, Sean E <scloherty at mitre.org>
Cc: Victor Julien <lists at inliniac.net>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Rules with file_data SMTP not firing on SMTP traffic

On Wed, Aug 3, 2016 at 2:40 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> The suggested upgrade did resolve some of our issues, but there is still one SMTP issue that we haven't been able to solve regarding hex bytes.
>
> Suricata is not triggering on detection for SMTP when using file_data 
> option looking for hex bytes. For example I want to look for file_data 
> and the bytes ab cd ef gh
>
> Has anoyone else run into this?

Please feel free to open a bug report with a reproducible case  - rule/pcap - so we can track it better.

>
> -----Original Message-----
> From: Oisf-users 
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf 
> Of Victor Julien
> Sent: Tuesday, July 19, 2016 18:39 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Rules with file_data SMTP not firing on SMTP 
> traffic
>
> On 19-07-16 22:47, Cloherty, Sean E wrote:
>> We’ve been a bit confounded by some of our rules not alerting.  The 
>> commonality is that they use file_data and it is looking for SMTP 
>> traffic. This is essentially what an example of what the simplest of 
>> these rules contains:
>>
>>
>>
>> tcp any any -> $HOME_NET 25 (sid:xxxxxxx; gid:1; msg:"Test Mail"; 
>> file_data; content:"%PDF-1.4 Foo"; classtype:string-detect; rev:1;
>> reference:Test;)
>>
>>
>>
>> We have both Snort and Suricata running on one segment using the same 
>> rule set. Snort fires and Suricata doesn’t when this traffic passes 
>> the sensors.  My colleague took some pcap of the traffic in question 
>> and ran it on our test box and got the same results – fires in Snort, 
>> not in Suricata.
>>
>>
>>
>> As a further test, we enabled the EVE logging (currently only using 
>> unified format for Barnyard2 and FAST.LOG) and the traffic was there 
>> in the EVE logs.  That is a good sign, but is even more puzzling 
>> since there is no record of an alert in the fast.log nor in the 
>> barnyard spooled logs.
>>
>>
>>
>> We are running 3.0.1 on Centos 7, and running in AF-PACKET workers 
>> mode, smtp is enabled as are the MIME-decoding features.
>>
>>
>>
>> Any suggestions of where else to look would be appreciated.
>>
>
> Quite a few improvements were made for smtp file inspection in 3.1, so I would suggest trying 3.1.1.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: 
> http://oisfevents.net _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: 
> http://oisfevents.net



--
Regards,
Peter Manev

More information about the Oisf-users mailing list