False positive on rule #2032926

I occasionally see this in fast.log. It always occurs during a backup from the local system to a NFS volume.

06/21/2024-05:06:16.154024 [**] [1:2032926:2] ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.69.246:885 -> 192.168.69.245:2049

1 Like

I forgot to add the Alert log entry:

TIME:              06/21/2024-05:06:16.154024
PKT SRC:           wire/pcap
SRC IP:            192.168.69.246
DST IP:            192.168.69.245
PROTO:             6
SRC PORT:          885
DST PORT:          2049
TCP SEQ:           18233371
TCP ACK:           4105836300
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     06/17/2024-11:19:19.944570
FLOW PKTS TODST:   5039707
FLOW PKTS TOSRC:   4503558
FLOW Total Bytes:  4152406640
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 34
PACKET LEN:        1460
PACKET:
 0000  45 00 05 B4 3B 00 40 00  40 06 ED 07 C0 A8 45 F6   E...;.@. @.....E.
 0010  C0 A8 45 F5 03 75 08 01  01 16 38 1B F4 BA 17 0C   ..E..u.. ..8.....
 0020  80 10 60 00 A9 43 00 00  01 01 08 0A 50 13 6D 82   ..`..C.. ....P.m.
 0030  32 C3 97 6F 45 48 4C 4F  20 66 72 61 6D 65 2E 73   2..oEHLO  frame.s
 0040  79 6E 6F 67 75 74 2E 7A  61 2E 63 6F 6D 0A 30 30   ynogut.z a.com.00
 0050  3A 35 38 3A 33 31 2E 33  35 36 20 34 20 53 4D 54   :58:31.3 56 4 SMT
 0060  50 49 2D 30 30 37 38 35  39 28 5B 31 32 37 2E 30   PI-00785 9([127.0
 0070  2E 30 2E 31 5D 29 20 72  73 70 3A 20 32 35 30 2D   .0.1]) r sp: 250-
 0080  73 6D 61 2D 69 6E 63 2E  75 73 20 77 65 20 74 72   sma-inc. us we tr
 0090  75 73 74 20 79 6F 75 20  66 72 61 6D 65 2E 73 79   ust you  frame.sy
 00A0  6E 6F 67 75 74 2E 7A 61  2E 63 6F 6D 5C 72 5C 6E   nogut.za .com\r\n
 00B0  32 35 30 2D 44 53 4E 5C  72 5C 6E 32 35 30 2D 53   250-DSN\ r\n250-S
 00C0  49 5A 45 20 31 30 37 33  37 34 31 38 32 34 5C 72   IZE 1073 741824\r
 00D0  5C 6E 32 35 30 2D 53 54  41 52 54 54 4C 53 5C 72   \n250-ST ARTTLS\r
 00E0  5C 6E 32 35 30 2D 41 55  54 48 20 4C 4F 47 49 4E   \n250-AU TH LOGIN
 00F0  20 50 4C 41 49 4E 20 43  52 41 4D 2D 4D 44 35 20    PLAIN C RAM-MD5
 0100  44 49 47 45 53 54 2D 4D  44 35 20 47 53 53 41 50   DIGEST-M D5 GSSAP
 0110  49 5C 72 5C 6E 32 35 30  2D 45 54 52 4E 5C 72 5C   I\r\n250 -ETRN\r\
 0120  6E 32 35 30 2D 54 55 52  4E 5C 72 5C 6E 32 35 30   n250-TUR N\r\n250
 0130  2D 41 54 52 4E 5C 72 5C  6E 32 35 30 2D 4E 4F 2D   -ATRN\r\ n250-NO-
 0140  53 4F 4C 49 43 49 54 49  4E 47 5C 72 5C 6E 32 35   SOLICITI NG\r\n25
 0150  30 2D 38 42 49 54 4D 49  4D 45 5C 72 5C 6E 32 35   0-8BITMI ME\r\n25
 0160  30 2D 48 45 4C 50 5C 72  5C 6E 32 35 30 2D 50 49   0-HELP\r \n250-PI
 0170  50 45 4C 49 4E 49 4E 47  5C 72 5C 6E 32 35 30 2D   PELINING \r\n250-
 0180  53 4D 54 50 55 54 46 38  5C 72 5C 6E 32 35 30 20   SMTPUTF8 \r\n250
 0190  45 48 4C 4F 0A 30 30 3A  35 38 3A 33 31 2E 35 38   EHLO.00: 58:31.58
 01A0  33 20 34 20 53 4D 54 50  49 2D 30 30 37 38 35 39   3 4 SMTP I-007859
 01B0  28 5B 31 32 37 2E 30 2E  30 2E 31 5D 29 20 63 6D   ([127.0. 0.1]) cm
 01C0  64 3A 20 53 54 41 52 54  54 4C 53 0A 30 30 3A 35   d: START TLS.00:5
 01D0  38 3A 33 31 2E 35 38 33  20 34 20 53 4D 54 50 49   8:31.583  4 SMTPI
 01E0  2D 30 30 37 38 35 39 28  5B 31 32 37 2E 30 2E 30   -007859( [127.0.0
 01F0  2E 31 5D 29 20 72 73 70  3A 20 32 32 30 20 70 6C   .1]) rsp : 220 pl
 0200  65 61 73 65 20 73 74 61  72 74 20 61 20 54 4C 53   ease sta rt a TLS
 0210  20 63 6F 6E 6E 65 63 74  69 6F 6E 0A 30 30 3A 35    connect ion.00:5
 0220  38 3A 33 31 2E 36 33 30  20 34 20 53 4D 54 50 49   8:31.630  4 SMTPI
 0230  2D 30 30 37 38 35 39 28  5B 31 32 37 2E 30 2E 30   -007859( [127.0.0
 0240  2E 31 5D 29 20 54 4C 53  2D 30 31 34 33 38 39 28   .1]) TLS -014389(
 0250  45 43 44 48 45 5F 41 45  53 32 35 36 5F 53 48 41   ECDHE_AE S256_SHA
 0260  29 20 63 6F 6E 6E 65 63  74 69 6F 6E 20 61 63 63   ) connec tion acc
 0270  65 70 74 65 64 20 66 6F  72 20 44 4F 4D 41 49 4E   epted fo r DOMAIN
 0280  28 73 6D 61 2D 69 6E 63  2E 75 73 29 0A 30 30 3A   (sma-inc .us).00:
 0290  35 38 3A 33 31 2E 36 33  35 20 34 20 53 4D 54 50   58:31.63 5 4 SMTP
 02A0  49 2D 30 30 37 38 35 39  28 5B 31 32 37 2E 30 2E   I-007859 ([127.0.
 02B0  30 2E 31 5D 29 20 63 6D  64 3A 20 45 48 4C 4F 20   0.1]) cm d: EHLO
 02C0  66 72 61 6D 65 2E 73 79  6E 6F 67 75 74 2E 7A 61   frame.sy nogut.za
 02D0  2E 63 6F 6D 0A 30 30 3A  35 38 3A 33 31 2E 36 33   .com.00: 58:31.63
 02E0  35 20 34 20 53 4D 54 50  49 2D 30 30 37 38 35 39   5 4 SMTP I-007859
 02F0  28 5B 31 32 37 2E 30 2E  30 2E 31 5D 29 20 72 73   ([127.0. 0.1]) rs
 0300  70 3A 20 32 35 30 2D 73  6D 61 2D 69 6E 63 2E 75   p: 250-s ma-inc.u
 0310  73 20 77 65 20 74 72 75  73 74 20 79 6F 75 20 66   s we tru st you f
 0320  72 61 6D 65 2E 73 79 6E  6F 67 75 74 2E 7A 61 2E   rame.syn ogut.za.
 0330  63 6F 6D 5C 72 5C 6E 32  35 30 2D 44 53 4E 5C 72   com\r\n2 50-DSN\r
0340  5C 6E 32 35 30 2D 53 49  5A 45 20 31 30 37 33 37   \n250-SI ZE 10737
 0350  34 31 38 32 34 5C 72 5C  6E 32 35 30 2D 41 55 54   41824\r\ n250-AUT
 0360  48 20 4C 4F 47 49 4E 20  50 4C 41 49 4E 20 43 52   H LOGIN  PLAIN CR
 0370  41 4D 2D 4D 44 35 20 44  49 47 45 53 54 2D 4D 44   AM-MD5 D IGEST-MD
 0380  35 20 47 53 53 41 50 49  5C 72 5C 6E 32 35 30 2D   5 GSSAPI \r\n250-
 0390  45 54 52 4E 5C 72 5C 6E  32 35 30 2D 54 55 52 4E   ETRN\r\n 250-TURN
 03A0  5C 72 5C 6E 32 35 30 2D  41 54 52 4E 5C 72 5C 6E   \r\n250- ATRN\r\n
 03B0  32 35 30 2D 4E 4F 2D 53  4F 4C 49 43 49 54 49 4E   250-NO-S OLICITIN
 03C0  47 5C 72 5C 6E 32 35 30  2D 38 42 49 54 4D 49 4D   G\r\n250 -8BITMIM
 03D0  45 5C 72 5C 6E 32 35 30  2D 48 45 4C 50 5C 72 5C   E\r\n250 -HELP\r\
 03E0  6E 32 35 30 2D 50 49 50  45 4C 49 4E 49 4E 47 5C   n250-PIP ELINING\
 03F0  72 5C 6E 32 35 30 2D 53  4D 54 50 55 54 46 38 5C   r\n250-S MTPUTF8\
 0400  72 5C 6E 32 35 30 20 45  48 4C 4F 0A 30 30 3A 35   r\n250 E HLO.00:5
 0410  38 3A 33 31 2E 36 38 36  20 34 20 53 4D 54 50 49   8:31.686  4 SMTPI
 0420  2D 30 30 37 38 35 39 28  5B 31 32 37 2E 30 2E 30   -007859( [127.0.0
 0430  2E 31 5D 29 20 63 6D 64  3A 20 4D 41 49 4C 20 46   .1]) cmd : MAIL F
 0440  52 4F 4D 3A 3C 37 39 39  34 39 2D 39 35 38 2D 38   ROM:<799 49-958-8
 0450  32 38 33 33 2D 31 37 34  39 34 2D 63 68 65 72 69   2833-174 94-cheri
 0460  65 3D 73 6F 68 6E 65 6E  2D 6D 6F 65 2E 63 6F 6D   e=sohnen -moe.com
 0470  40 6D 61 69 6C 2E 73 79  6E 6F 67 75 74 2E 7A 61   @mail.sy nogut.za
 0480  2E 63 6F 6D 3E 0A 30 30  3A 35 38 3A 33 31 2E 36   .com>.00 :58:31.6
 0490  38 37 20 34 20 54 45 4D  50 46 49 4C 45 28 38 37   87 4 TEM PFILE(87
 04A0  38 32 38 33 38 29 20 70  72 65 2D 63 72 65 61 74   82838) p re-creat
 04B0  65 64 0A 30 30 3A 35 38  3A 33 31 2E 36 38 37 20   ed.00:58 :31.687
 04C0  32 20 54 45 4D 50 46 49  4C 45 28 38 37 38 32 38   2 TEMPFI LE(87828
 04D0  33 33 29 20 61 6C 6C 6F  63 61 74 65 64 0A 30 30   33) allo cated.00
 04E0  3A 35 38 3A 33 31 2E 36  38 37 20 34 20 53 4D 54   :58:31.6 87 4 SMT
 04F0  50 49 2D 30 30 37 38 35  39 28 5B 31 32 37 2E 30   PI-00785 9([127.0
 0500  2E 30 2E 31 5D 29 20 72  73 70 3A 20 32 35 30 20   .0.1]) r sp: 250
 0510  37 39 39 34 39 2D 39 35  38 2D 38 32 38 33 33 2D   79949-95 8-82833-
 0520  31 37 34 39 34 2D 63 68  65 72 69 65 3D 73 6F 68   17494-ch erie=soh
 0530  6E 65 6E 2D 6D 6F 65 2E  63 6F 6D 40 6D 61 69 6C   nen-moe. com@mail
 0540  2E 73 79 6E 6F 67 75 74  2E 7A 61 2E 63 6F 6D 20   .synogut .za.com
 0550  73 65 6E 64 65 72 20 61  63 63 65 70 74 65 64 0A   sender a ccepted.
 0560  30 30 3A 35 38 3A 33 31  2E 39 39 32 20 34 20 53   00:58:31 .992 4 S
 0570  4D 54 50 49 2D 30 30 37  38 35 39 28 5B 31 32 37   MTPI-007 859([127
 0580  2E 30 2E 30 2E 31 5D 29  20 63 6D 64 3A 20 52 43   .0.0.1])  cmd: RC
 0590  50 54 20 54 4F 3A 3C 63  68 65 72 69 65 40 73 6F   PT TO:<c herie@so
 05A0  68 6E 65 6E 2D 6D 6F 65  2E 63 6F 6D 3E 0A 30 30   hnen-moe .com>.00
 05B0  3A 35 38 3A                                        :58:
ALERT CNT:           1
ALERT MSG [00]:      ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound
ALERT GID [00]:      1
ALERT SID [00]:      2032926
ALERT REV [00]:      2
ALERT CLASS [00]:    Potentially Bad Traffic
ALERT PRIO [00]:     2
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]:    N/A
1 Like

Hi @jimoe! Thank you for the False Positive report. I’ll look into this.

Hi again @jimoe!

I reviewed the following rule for possible False Positive activity:

alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound"; flow:established,to_server; content:"EHLO"; startswith; isdataat:1000,relative; classtype:bad-unknown; sid:2032926; rev:2; metadata:attack_target SMTP_Server, created_at 2021_05_10, deployment Perimeter, signature_severity Informational, updated_at 2021_05_11;)

The rule’s intention is to check if “EHLO” exists in a TCP packet. If the match exists, then the rule checks if data exists 1000 bytes after the EHLO match. This rule aids in detecting SMTP sessions where threat actors fill the session with varying arbitrary content for phishing and other abusive behavior.

I would not classify alert generated from the alert log data as a False Positive. Although no changes will be made to the rule in the ET ruleset, I would encourage adjusting your rule-vars to omit generating alerts from assets involved during the routine backup process.

Okay. Thank you.