[Oisf-users] Suricata SMTP Rules Fired - Now What...?
Cloherty, Sean E
scloherty at mitre.org
Thu Jan 12 18:43:04 UTC 2017
I've done some additional testing by enabling some of the Suricata rules on a test server and I see the following. Anyone have input on what can cause them to fire ? (This is Suricata 3.2 on CentOS 7.2) . Thes are from diffrerent flows at different times but these rules are firing frequently.
External source to an internal host:
idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding failed [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25
Internal to internal traffic:
idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined sequence [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25
Internal to internal traffic:
idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25
Sean Cloherty
InfoSec Engineer/Scientist, Lead
MITRE Corporation
office (781) 271-3707
cell (781) 697-8043
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170112/670251e1/attachment.html>
More information about the Oisf-users
mailing list