[Oisf-users] Suricata SMTP Rules Fired - Now What...?

Cloherty, Sean E scloherty at mitre.org
Fri Jan 13 17:50:06 UTC 2017

Thanks Tom.  I appreciate your offer, but since this is email and there is PII etc., I am not sure that is in the cards.  Need another way to skin this cat.

Are there server, suricata compile errors, or suricata.yaml configuration values which I should check to eliminate the most likely causes?

From: Tom DeCanio [mailto:decanio.tom at gmail.com]
Sent: Thursday, January 12, 2017 20:33 PM
To: Cloherty, Sean E <scloherty at mitre.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?


I'm familiar with Suricata's SMTP and MIME code.  If you can provide a pcap containing the offending traffic I can take a look.  Send the pcap off list for the pcap if necessary.


On Thu, Jan 12, 2017 at 10:43 AM Cloherty, Sean E <scloherty at mitre.org<mailto:scloherty at mitre.org>> wrote:

I've done some additional testing by enabling some of the Suricata rules on a test server and I see the following.  Anyone have input on what can cause them to fire ? (This is Suricata 3.2 on CentOS 7.2) .  Thes are from diffrerent flows at different times but these rules are firing frequently.

External source to an internal host:

idstest suricata[9850]: [1:2220011:1] SURICATA SMTP Mime base64-decoding failed [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:2728 -> xxx.xxx.xxx.xxx:25

Internal to internal traffic:

idstest suricata[7241]: [1:2220004:1] SURICATA SMTP invalid pipelined sequence [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:52298 -> xxx.xxx.xxx.xxx:25

Internal to internal traffic:

idstest suricata[9850]: [1:2220019:1] SURICATA SMTP unparsable content [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} xxx.xxx.xxx.xxx:40738 -> xxx.xxx.xxx.xxx:25

Sean Cloherty
InfoSec Engineer/Scientist, Lead
MITRE Corporation
office (781) 271-3707<tel:(781)%20271-3707>
cell      (781) 697-8043<tel:(781)%20697-8043>

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170113/69fc6c1c/attachment-0002.html>

More information about the Oisf-users mailing list