[Oisf-users] Suricata SMTP Rules Fired - Now What...?
Cloherty, Sean E
scloherty at mitre.org
Fri Jan 13 22:26:42 UTC 2017
"Without the traffic it's hard to tell if it's false positive or correct matches."
- Agreed - but since we've been struggling to get SMTP rules to work in Suricata, I would lean towards these alerts being related, if not indicators of some underlying issue dogging our SMTP rules. Notably, the rules failing are content matches on Base64 encoded attachments.
Description / configuration
I've attached my yaml and the startup script.
Server is running CentOS 7.2 / 3.10.0-327.36.3.el7.x86_64
128 GB RAM / 32 CPU Threads / Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
I am using CPU affinity to allow workers only on the cpus in the same NUMA as the NIC (thank you Peter!)
NIC = Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) (Intel 10Gb - ixgbe 4.4.6 drivers)
-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Andreas Herz
Sent: Friday, January 13, 2017 16:16 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
On 13/01/17 at 17:50, Cloherty, Sean E wrote:
> Thanks Tom. I appreciate your offer, but since this is email and
> there is PII etc., I am not sure that is in the cards. Need another
> way to skin this cat.
Without the traffic it's hard to tell if it's false positive or correct matches.
> Are there server, suricata compile errors, or suricata.yaml
> configuration values which I should check to eliminate the most likely
> causes?
You could describe your setup more, how you run suricata, in which mode and what you did configure (beside defaults).
--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: start_suricata.sh
Type: application/octet-stream
Size: 461 bytes
Desc: start_suricata.sh
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170113/71b93ba2/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 63612 bytes
Desc: suricata.yaml
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170113/71b93ba2/attachment-0005.obj>
More information about the Oisf-users
mailing list