[Oisf-users] Suricata SMTP Rules Fired - Now What...?

Peter Manev petermanev at gmail.com
Thu Jan 26 13:24:45 UTC 2017


On Fri, Jan 13, 2017 at 11:26 PM, Cloherty, Sean E <scloherty at mitre.org> wrote:
> "Without the traffic it's hard to tell if it's false positive or correct matches."
>
> - Agreed - but since we've been struggling to get SMTP rules to work in Suricata, I would lean towards these alerts being related, if not indicators of some underlying issue dogging our SMTP rules.  Notably, the rules failing are content matches on Base64 encoded attachments.
>

Sean you mentioned during the training in Sunnyvale that there might
be a relevant pcap that would be possible to share?

> Description / configuration
>
> I've attached my yaml and the startup script.
>
> Server is running CentOS 7.2 / 3.10.0-327.36.3.el7.x86_64
> 128 GB RAM / 32 CPU Threads / Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
> I am using CPU affinity to allow workers only on the cpus in the same NUMA as the NIC (thank you Peter!)
> NIC = Intel Corporation 82599ES 10-Gigabit SFI/SFP+ Network Connection (rev 01) (Intel 10Gb -  ixgbe 4.4.6 drivers)
>
>
>
>
> -----Original Message-----
> From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Andreas Herz
> Sent: Friday, January 13, 2017 16:16 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata SMTP Rules Fired - Now What...?
>
> On 13/01/17 at 17:50, Cloherty, Sean E wrote:
>> Thanks Tom.  I appreciate your offer, but since this is email and
>> there is PII etc., I am not sure that is in the cards.  Need another
>> way to skin this cat.
>
> Without the traffic it's hard to tell if it's false positive or correct matches.
>
>> Are there server, suricata compile errors, or suricata.yaml
>> configuration values which I should check to eliminate the most likely
>> causes?
>
> You could describe your setup more, how you run suricata, in which mode and what you did configure (beside defaults).
>
> --
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list