Snort mailing list archives
Re: VIRUS OUTBOUND .pif file attachment
From: "Stevo" <checkpoint () ozbergs com>
Date: Fri, 5 Sep 2003 09:27:50 -0700
Erek, When I click on the details of the event this is what I see (the email must have cut off this section): So this shows the email being send from extra () eDiets com to corporate () imandi com (which is our email domain). So the email is actually from an outside source and being send inbound?? This is where I'm getting confused! --Stevo 1BDYB01 ([64.7.171.84]) by intranet1.renditionnetworks.com with Microsoft SMTPSVC(5.0.2195.6713);... Wed, 3 Sep 2003 10:02:04 -0 700..From: <extra () eDiets com>..To: <corporate () imandi com>..Subje ct: Thank you!..Date: Wed, 3 Sep 2003 13:14:44 --0400..X-MailSca nner: Found to be clean..Importance: Normal..X-Mailer: Microsoft Outlook Express 6.00.2600.0000..X-MSMail-Priority: Normal..X-Pr iority: 3 (Normal)..MIME-Version: 1.0..Content-Type: multipart/m ixed;...boundary="_NextPart_000_060CCF5D"..Return-Path: extra@eD iets.com..Message-ID: <INTRANET1CsUiivWd2Y000036a7 () intranet1 ren ditionnetworks.com>..X-OriginalArrivalTime: 03 Sep 2003 17:02:05 .0176 (UTC) FILETIME=[1A073F80:01C3723D]....This is a multipart message in MIME format....--_NextPart_000_060CCF 5D..Content-Type: text/plain;...charset="iso-8859-1"..Content-Tr ansfer-Encoding: 7bit....Please see the attached file for detail s...--_NextPart_000_060CCF5D..Content-Type: application/octet-st ream;...name="application.pif"..Content-Transfer-Encoding: base6 4..Content-Disposition: attachment;...filename="application.pif" ....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIG Nhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAADToEjPl8EmnJfB JpyXwSacFN0onI3BJpx/3iyc7cEmnMHeNZyawSacl8Em..nJTBJpyXwSecBsEmnP XeNZyawSacf94tnI3BJpxSaWNol8EmnAAAAAAAAAAAAAAAAAAAAA ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: "Stevo" <checkpoint () ozbergs com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, September 04, 2003 10:09 PM Subject: Re: [Snort-users] VIRUS OUTBOUND .pif file attachment
On Thu, 4 Sep 2003, Stevo wrote:Got a questions about the [snort] VIRUS OUTBOUND .pif file attachment
rule.
I'm seeing a billion of these in my logs and don't really understand the rule. My mail server is 63.145.201.15 and from the rule it appears that
my
mail server is connecting to other mail servers on port 25 and Snort is picking up that I'm sending a .pif file attachment. [snort] VIRUS OUTBOUND .pif file attachment 2003-09-03 10:00:06 63.145.201.15:29180 216.144.69.88:25 TCP However... When I look at the details for the event it appears that the email is
from
an outside domain and being sent into our email domain... see below...
from
extra () eDiets com to corporate () imandi com. Imandi.com is our email
domain,
so this message is actually being sent inbound! Am I understanding this correctly??Well, I'm guessing you forgot to add whatever was to be 'below'. :) From what you posted, your server (.15) connected to .88 and sent an email with the .pif as part of it. Everything there matches with what you show. Am I not understanding what the issue is? ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VIRUS OUTBOUND .pif file attachment Stevo (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Brian (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 04)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Erek Adams (Sep 05)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 08)
- Re: VIRUS OUTBOUND .pif file attachment Stevo (Sep 05)