jimoe
June 21, 2024, 5:23pm
1
I occasionally see this in fast.log. It always occurs during a backup from the local system to a NFS volume.
06/21/2024-05:06:16.154024 [**] [1:2032926:2] ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.69.246:885 -> 192.168.69.245:2049
1 Like
jimoe
June 21, 2024, 6:02pm
2
I forgot to add the Alert log entry:
TIME: 06/21/2024-05:06:16.154024
PKT SRC: wire/pcap
SRC IP: 192.168.69.246
DST IP: 192.168.69.245
PROTO: 6
SRC PORT: 885
DST PORT: 2049
TCP SEQ: 18233371
TCP ACK: 4105836300
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 06/17/2024-11:19:19.944570
FLOW PKTS TODST: 5039707
FLOW PKTS TOSRC: 4503558
FLOW Total Bytes: 4152406640
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 34
PACKET LEN: 1460
PACKET:
0000 45 00 05 B4 3B 00 40 00 40 06 ED 07 C0 A8 45 F6 E...;.@. @.....E.
0010 C0 A8 45 F5 03 75 08 01 01 16 38 1B F4 BA 17 0C ..E..u.. ..8.....
0020 80 10 60 00 A9 43 00 00 01 01 08 0A 50 13 6D 82 ..`..C.. ....P.m.
0030 32 C3 97 6F 45 48 4C 4F 20 66 72 61 6D 65 2E 73 2..oEHLO frame.s
0040 79 6E 6F 67 75 74 2E 7A 61 2E 63 6F 6D 0A 30 30 ynogut.z a.com.00
0050 3A 35 38 3A 33 31 2E 33 35 36 20 34 20 53 4D 54 :58:31.3 56 4 SMT
0060 50 49 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 PI-00785 9([127.0
0070 2E 30 2E 31 5D 29 20 72 73 70 3A 20 32 35 30 2D .0.1]) r sp: 250-
0080 73 6D 61 2D 69 6E 63 2E 75 73 20 77 65 20 74 72 sma-inc. us we tr
0090 75 73 74 20 79 6F 75 20 66 72 61 6D 65 2E 73 79 ust you frame.sy
00A0 6E 6F 67 75 74 2E 7A 61 2E 63 6F 6D 5C 72 5C 6E nogut.za .com\r\n
00B0 32 35 30 2D 44 53 4E 5C 72 5C 6E 32 35 30 2D 53 250-DSN\ r\n250-S
00C0 49 5A 45 20 31 30 37 33 37 34 31 38 32 34 5C 72 IZE 1073 741824\r
00D0 5C 6E 32 35 30 2D 53 54 41 52 54 54 4C 53 5C 72 \n250-ST ARTTLS\r
00E0 5C 6E 32 35 30 2D 41 55 54 48 20 4C 4F 47 49 4E \n250-AU TH LOGIN
00F0 20 50 4C 41 49 4E 20 43 52 41 4D 2D 4D 44 35 20 PLAIN C RAM-MD5
0100 44 49 47 45 53 54 2D 4D 44 35 20 47 53 53 41 50 DIGEST-M D5 GSSAP
0110 49 5C 72 5C 6E 32 35 30 2D 45 54 52 4E 5C 72 5C I\r\n250 -ETRN\r\
0120 6E 32 35 30 2D 54 55 52 4E 5C 72 5C 6E 32 35 30 n250-TUR N\r\n250
0130 2D 41 54 52 4E 5C 72 5C 6E 32 35 30 2D 4E 4F 2D -ATRN\r\ n250-NO-
0140 53 4F 4C 49 43 49 54 49 4E 47 5C 72 5C 6E 32 35 SOLICITI NG\r\n25
0150 30 2D 38 42 49 54 4D 49 4D 45 5C 72 5C 6E 32 35 0-8BITMI ME\r\n25
0160 30 2D 48 45 4C 50 5C 72 5C 6E 32 35 30 2D 50 49 0-HELP\r \n250-PI
0170 50 45 4C 49 4E 49 4E 47 5C 72 5C 6E 32 35 30 2D PELINING \r\n250-
0180 53 4D 54 50 55 54 46 38 5C 72 5C 6E 32 35 30 20 SMTPUTF8 \r\n250
0190 45 48 4C 4F 0A 30 30 3A 35 38 3A 33 31 2E 35 38 EHLO.00: 58:31.58
01A0 33 20 34 20 53 4D 54 50 49 2D 30 30 37 38 35 39 3 4 SMTP I-007859
01B0 28 5B 31 32 37 2E 30 2E 30 2E 31 5D 29 20 63 6D ([127.0. 0.1]) cm
01C0 64 3A 20 53 54 41 52 54 54 4C 53 0A 30 30 3A 35 d: START TLS.00:5
01D0 38 3A 33 31 2E 35 38 33 20 34 20 53 4D 54 50 49 8:31.583 4 SMTPI
01E0 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 2E 30 -007859( [127.0.0
01F0 2E 31 5D 29 20 72 73 70 3A 20 32 32 30 20 70 6C .1]) rsp : 220 pl
0200 65 61 73 65 20 73 74 61 72 74 20 61 20 54 4C 53 ease sta rt a TLS
0210 20 63 6F 6E 6E 65 63 74 69 6F 6E 0A 30 30 3A 35 connect ion.00:5
0220 38 3A 33 31 2E 36 33 30 20 34 20 53 4D 54 50 49 8:31.630 4 SMTPI
0230 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 2E 30 -007859( [127.0.0
0240 2E 31 5D 29 20 54 4C 53 2D 30 31 34 33 38 39 28 .1]) TLS -014389(
0250 45 43 44 48 45 5F 41 45 53 32 35 36 5F 53 48 41 ECDHE_AE S256_SHA
0260 29 20 63 6F 6E 6E 65 63 74 69 6F 6E 20 61 63 63 ) connec tion acc
0270 65 70 74 65 64 20 66 6F 72 20 44 4F 4D 41 49 4E epted fo r DOMAIN
0280 28 73 6D 61 2D 69 6E 63 2E 75 73 29 0A 30 30 3A (sma-inc .us).00:
0290 35 38 3A 33 31 2E 36 33 35 20 34 20 53 4D 54 50 58:31.63 5 4 SMTP
02A0 49 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 2E I-007859 ([127.0.
02B0 30 2E 31 5D 29 20 63 6D 64 3A 20 45 48 4C 4F 20 0.1]) cm d: EHLO
02C0 66 72 61 6D 65 2E 73 79 6E 6F 67 75 74 2E 7A 61 frame.sy nogut.za
02D0 2E 63 6F 6D 0A 30 30 3A 35 38 3A 33 31 2E 36 33 .com.00: 58:31.63
02E0 35 20 34 20 53 4D 54 50 49 2D 30 30 37 38 35 39 5 4 SMTP I-007859
02F0 28 5B 31 32 37 2E 30 2E 30 2E 31 5D 29 20 72 73 ([127.0. 0.1]) rs
0300 70 3A 20 32 35 30 2D 73 6D 61 2D 69 6E 63 2E 75 p: 250-s ma-inc.u
0310 73 20 77 65 20 74 72 75 73 74 20 79 6F 75 20 66 s we tru st you f
0320 72 61 6D 65 2E 73 79 6E 6F 67 75 74 2E 7A 61 2E rame.syn ogut.za.
0330 63 6F 6D 5C 72 5C 6E 32 35 30 2D 44 53 4E 5C 72 com\r\n2 50-DSN\r
0340 5C 6E 32 35 30 2D 53 49 5A 45 20 31 30 37 33 37 \n250-SI ZE 10737
0350 34 31 38 32 34 5C 72 5C 6E 32 35 30 2D 41 55 54 41824\r\ n250-AUT
0360 48 20 4C 4F 47 49 4E 20 50 4C 41 49 4E 20 43 52 H LOGIN PLAIN CR
0370 41 4D 2D 4D 44 35 20 44 49 47 45 53 54 2D 4D 44 AM-MD5 D IGEST-MD
0380 35 20 47 53 53 41 50 49 5C 72 5C 6E 32 35 30 2D 5 GSSAPI \r\n250-
0390 45 54 52 4E 5C 72 5C 6E 32 35 30 2D 54 55 52 4E ETRN\r\n 250-TURN
03A0 5C 72 5C 6E 32 35 30 2D 41 54 52 4E 5C 72 5C 6E \r\n250- ATRN\r\n
03B0 32 35 30 2D 4E 4F 2D 53 4F 4C 49 43 49 54 49 4E 250-NO-S OLICITIN
03C0 47 5C 72 5C 6E 32 35 30 2D 38 42 49 54 4D 49 4D G\r\n250 -8BITMIM
03D0 45 5C 72 5C 6E 32 35 30 2D 48 45 4C 50 5C 72 5C E\r\n250 -HELP\r\
03E0 6E 32 35 30 2D 50 49 50 45 4C 49 4E 49 4E 47 5C n250-PIP ELINING\
03F0 72 5C 6E 32 35 30 2D 53 4D 54 50 55 54 46 38 5C r\n250-S MTPUTF8\
0400 72 5C 6E 32 35 30 20 45 48 4C 4F 0A 30 30 3A 35 r\n250 E HLO.00:5
0410 38 3A 33 31 2E 36 38 36 20 34 20 53 4D 54 50 49 8:31.686 4 SMTPI
0420 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 2E 30 -007859( [127.0.0
0430 2E 31 5D 29 20 63 6D 64 3A 20 4D 41 49 4C 20 46 .1]) cmd : MAIL F
0440 52 4F 4D 3A 3C 37 39 39 34 39 2D 39 35 38 2D 38 ROM:<799 49-958-8
0450 32 38 33 33 2D 31 37 34 39 34 2D 63 68 65 72 69 2833-174 94-cheri
0460 65 3D 73 6F 68 6E 65 6E 2D 6D 6F 65 2E 63 6F 6D e=sohnen -moe.com
0470 40 6D 61 69 6C 2E 73 79 6E 6F 67 75 74 2E 7A 61 @mail.sy nogut.za
0480 2E 63 6F 6D 3E 0A 30 30 3A 35 38 3A 33 31 2E 36 .com>.00 :58:31.6
0490 38 37 20 34 20 54 45 4D 50 46 49 4C 45 28 38 37 87 4 TEM PFILE(87
04A0 38 32 38 33 38 29 20 70 72 65 2D 63 72 65 61 74 82838) p re-creat
04B0 65 64 0A 30 30 3A 35 38 3A 33 31 2E 36 38 37 20 ed.00:58 :31.687
04C0 32 20 54 45 4D 50 46 49 4C 45 28 38 37 38 32 38 2 TEMPFI LE(87828
04D0 33 33 29 20 61 6C 6C 6F 63 61 74 65 64 0A 30 30 33) allo cated.00
04E0 3A 35 38 3A 33 31 2E 36 38 37 20 34 20 53 4D 54 :58:31.6 87 4 SMT
04F0 50 49 2D 30 30 37 38 35 39 28 5B 31 32 37 2E 30 PI-00785 9([127.0
0500 2E 30 2E 31 5D 29 20 72 73 70 3A 20 32 35 30 20 .0.1]) r sp: 250
0510 37 39 39 34 39 2D 39 35 38 2D 38 32 38 33 33 2D 79949-95 8-82833-
0520 31 37 34 39 34 2D 63 68 65 72 69 65 3D 73 6F 68 17494-ch erie=soh
0530 6E 65 6E 2D 6D 6F 65 2E 63 6F 6D 40 6D 61 69 6C nen-moe. com@mail
0540 2E 73 79 6E 6F 67 75 74 2E 7A 61 2E 63 6F 6D 20 .synogut .za.com
0550 73 65 6E 64 65 72 20 61 63 63 65 70 74 65 64 0A sender a ccepted.
0560 30 30 3A 35 38 3A 33 31 2E 39 39 32 20 34 20 53 00:58:31 .992 4 S
0570 4D 54 50 49 2D 30 30 37 38 35 39 28 5B 31 32 37 MTPI-007 859([127
0580 2E 30 2E 30 2E 31 5D 29 20 63 6D 64 3A 20 52 43 .0.0.1]) cmd: RC
0590 50 54 20 54 4F 3A 3C 63 68 65 72 69 65 40 73 6F PT TO:<c herie@so
05A0 68 6E 65 6E 2D 6D 6F 65 2E 63 6F 6D 3E 0A 30 30 hnen-moe .com>.00
05B0 3A 35 38 3A :58:
ALERT CNT: 1
ALERT MSG [00]: ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound
ALERT GID [00]: 1
ALERT SID [00]: 2032926
ALERT REV [00]: 2
ALERT CLASS [00]: Potentially Bad Traffic
ALERT PRIO [00]: 2
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]: N/A
1 Like
Hi @jimoe ! Thank you for the False Positive report. I’ll look into this.
Hi again @jimoe !
I reviewed the following rule for possible False Positive activity:
alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound"; flow:established,to_server; content:"EHLO"; startswith; isdataat:1000,relative; classtype:bad-unknown; sid:2032926; rev:2; metadata:attack_target SMTP_Server, created_at 2021_05_10, deployment Perimeter, signature_severity Informational, updated_at 2021_05_11;)
The rule’s intention is to check if “EHLO” exists in a TCP packet. If the match exists, then the rule checks if data exists 1000 bytes after the EHLO match. This rule aids in detecting SMTP sessions where threat actors fill the session with varying arbitrary content for phishing and other abusive behavior.
I would not classify alert generated from the alert log data as a False Positive. Although no changes will be made to the rule in the ET ruleset, I would encourage adjusting your rule-vars to omit generating alerts from assets involved during the routine backup process.