False Positive?: sig 2032926 "Abnormally Large SMTP EHLO Inbound"

These possible FPs occur during a backup of our mail server to an NFS mounted volume.

{"timestamp":"2021-10-27T05:04:07.617335-0700","flow_id":15866114764243,"event_type":"alert","src_ip":"","src_port":806,"dest_ip":"","dest_port":2049,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2032926,"rev":2,"signature":"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound","category":"Potentially Bad Traffic","severity":2,"metadata":{"attack_target":["SMTP_Server"],"created_at":["2021_05_10"],"deployment":["Perimeter"],"former_category":["INFO"],"signature_severity":["Informational"],"updated_at":["2021_05_11"]}},"app_proto":"failed","flow":{"pkts_toserver":31940514,"pkts_toclient":30016135,"bytes_toserver":9462431584,"bytes_toclient":13173670072,"start":"2021-10-09T15:56:34.224723-0700"}}
---[ 13 more ]---

Hi James,

While some ET folks do monitor these forums, the best place for a question regarding ET rules would be via the ET mailing list or support portal (Feedback).

To answer your question, this doesn’t necessarily sound like a false positive. This is potentially an alert in your particular environment that you would expect to see based on the assets involved. IF this is traffic that you would expect to see between these two assets, this could be a case for a local rule tune.

If you want to send the ET team pcap or more log output via the support portal linked above, we would be happy to look into it further.

Hope this helps!


1 Like