Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
1
Replies

3109 false positive?

DSmirnov
Level 1
Level 1

‎12-28-2001 10:34 AM - edited ‎03-08-2019 09:29 PM

I'm confused with 3109 signature (based on 3.0.3-13).

Based on payload in /usr/nr/var/log.* file the 3109 checks not only SMTP commands (like RCPT and FROM) but email body as well (for example field 'from' in mail header):

.............................................................................from.202.84.1.101..........^m\0xZZ220 zeus.xconsulting.com ESMTP Postfix^m^j]

Is it true?

Doesn't it mean 3109 will be false-positive a lot of times?

Labels:
0 Helpful
1 Reply 1

klwiley
Cisco Employee
Cisco Employee

‎01-03-2002 07:47 AM

This appears to be either a bug or the result of the sensor only seeing half of an email thread. Our sensor does maintain state in the e-mail conversation, but does not rely on the client input to transition state. rather we use the OK back from the e-mail server to transition into the next state. This allows us to avoid being forced out of synch by an attacker.

Could you send me the log entry for this alarm at klwiley@cisco.com. I would like to see if we were seeing the server side traffic for this alarm. If for some reason we weren't (assymetric routing is the most common reason) then you will experience this from time to time as the sensor will wander into the body of the e-mail when it does not transition out of the header state.

If instead I see from the context that both sides of the conversation are present then I can look into this as a defect in the engine.

Thanks,

KLW

0 Helpful
Customers Also Viewed These Support Documents