[Oisf-users] Suricata SMTP Rules Fired - Now What...?

[Tom DeCanio]

Sean;

I'm familiar with Suricata's SMTP and MIME code.  If you can provide a pcap
containing the offending traffic I can take a look.  Send the pcap off list
for the pcap if necessary.

Tom

On Thu, Jan 12, 2017 at 10:43 AM Cloherty, Sean E <scloherty at mitre.org>
wrote:

> I've done some additional testing by enabling some of the Suricata rules
> on a test server and I see the following.  Anyone have input on what can
> cause them to fire ? (This is Suricata 3.2 on CentOS 7.2) .  Thes are from
> diffrerent flows at different times but these rules are firing frequently.
>
>
>
> *External source to an internal host:*
>
>
>
> idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding
> failed [Classification: Generic Protocol Command Decode] [Priority: 3]
> {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25
>
>
>
> *Internal to internal traffic:*
>
>
>
> idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined
> sequence [Classification: Generic Protocol Command Decode] [Priority: 3]
> {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25
>
>
>
> *Internal to internal traffic:*
>
>
>
> idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content
> [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP}
> xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25
>
>
>
>
>
>
>
>
>
> Sean Cloherty
>
> InfoSec Engineer/Scientist, Lead
>
> MITRE Corporation
>
> office (781) 271-3707
>
> cell      (781) 697-8043
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170113/d86dbcc4/attachment-0002.html>