Noob to sourcefire 5.3 could use some answers to some questions.

a31modela · ‎07-04-2016

Hello All,

New to sourcefire and an having an issue and could use some help. Have been getting emails all morning about intrusions and have not been able to track them down or get any info on them.

I think they are being blocked ( dropped) but want some reassurance from the community.

message is :

SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt" [Impact: Potentially Vulnerable] From "XXXIDS-1" at Mon Jul 4 14:40:43 2016 UTC [Classification: Attempted User Privilege Gain] [Priority: 1] {tcp} 209.65.160.XXX.:XXX->XXX.XXX.XXX.XXX:XX

The console shows these intrusions are being dropped but not sure why the console also says potentially vulnerable.

The destination is my mailrelay server and I don't see anything in the mail logs pertaining to these events.

Is there anyway in sourcefire to see where these events are ultimately going or setting my mind at ease that we are ok ? Drilling down on the alerts shows me nothing additional.

Thanks,

Steve

yogdhanu · ‎07-04-2016

Hi

You would need to check the IPS events in the firesight.

Check that specific event for source and destination IP address and you can also download the packet file for that event. Open it up in wireshark and see if the packet has same matching criteria as the rule. You would see the rule action in the IPS event logs.

Rate if helps.

Yogesh

a31modela · ‎07-05-2016

hello Yogesh,

Thanks for your quick reply. I did manage to find the info on the packets being sent in the console under the analysis tab. Determined it was an email going to our help desk from a known source.

I do have a couple of questions still...

We have been getting this email for years, its a daily report. it just started to alert in sourcefire.... is this a new definition in sourcefire? How can check that ?

Rule

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; content:"filename"; within:120; nocase; isdataat:83,relative; content:!"|0A|"; within:83; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3644; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=818&can=1&q=symantec&sort=-id; classtype:attempted-user; sid:39380; rev:1; )

Also, the source fire console says this was a dropped intrusion event. . I assumed that to mean it was blocked however, the recipient did get this email with the attachment so I guess dropped is not the same as blocked ..

Thanks Again for your help,

Steve

Jetsy Mathew · ‎07-05-2016

Hello Team,

Have you made any changes to the default HOME_NET and EXTERNAL_NET servers mentioned in the firesight settings ?

Can you please attach a screenshot of intrsusion event to confirm if this has been dropped or not ?

Rate if that post helps you

Regards

Jetsy

a31modela · ‎07-05-2016

hello jetsy,

It appears that there is a new rule set that went into effect 6/30 with this rule enabled.

1:39380 <-> ENABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)

Not sure where its picking up the symantic alert for since our mail server is linux and there is nothing using symantic in the path to the mail server.

the sourcefire console screen for the intrusion is attached.

Is it just noise that I could disable the alert ?

Thanks for your help !,

Steve

Jetsy Mathew · ‎07-06-2016

Hello Team,

I wont recommend disabling the rule without any confirmation.

What is the existing SRU version that you have ?

Make sure that the device is in the latest possible SRU version. This event is triggering may be some of the contents in this rule is also getting matched to the packet that is detected during the intrusion event.

The last step and ideally how to deal this issue is collect the packet download for this specific Intrusion event and request a false positive analysis for the mentioned SID.

Rate if my post and answers helps you.

Regards

Jetsy