[Oisf-users] Suricata SMTP Rules Fired - Now What...?
Cloherty, Sean E
scloherty at mitre.org
Fri Jan 13 17:50:06 UTC 2017
Thanks Tom. I appreciate your offer, but since this is email and there is PII etc., I am not sure that is in the cards. Need another way to skin this cat.
Are there server, suricata compile errors, or suricata.yaml configuration values which I should check to eliminate the most likely causes?
From: Tom DeCanio [mailto:decanio.tom at gmail.com]
Sent: Thursday, January 12, 2017 20:33 PM
To: Cloherty, Sean E <scloherty at mitre.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
Sean;
I'm familiar with Suricata's SMTP and MIME code. If you can provide a pcap containing the offending traffic I can take a look. Send the pcap off list for the pcap if necessary.
Tom
On Thu, Jan 12, 2017 at 10:43 AM Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:
I've done some additional testing by enabling some of the Suricata rules on a test server and I see the following. Anyone have input on what can cause them to fire ? (This is Suricata 3.2 on CentOS 7.2) . Thes are from diffrerent flows at different times but these rules are firing frequently.
External source to an internal host:
idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding failed [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25
Internal to internal traffic:
idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined sequence [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25
Internal to internal traffic:
idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25
Sean Cloherty
InfoSec Engineer/Scientist, Lead
MITRE Corporation
office (781) 271-3707<tel:(781)%20271-3707>
cell (781) 697-8043<tel:(781)%20697-8043>
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170113/69fc6c1c/attachment-0002.html>
More information about the Oisf-users
mailing list