teamcymru alerts

Allen_Brian · June 12, 2014, 2:38pm

Hi,

I'm using the TeamCymru alerts in the notice.log file, but I was wondering
if someone could help interpret the specific field: file_desc which is
listed as "Additional context for file, if available"?

Normally that field will list a website, presumably where the file was
downloaded from and it looks like this <sanitized>:

"http://d pullupdate com/ius/Setup.exe"

Which is extremely useful. But there are some alerts in that field, which
are going to port 25, where it lists email addresses like this:

"<liuyp1952@163.com> -> <french_a@kids.wustl.edu>: Mail Delivery
(failur..."

That's the exact content of the field including the ... at the end.

I assume this is an alert for an email that went from that 163.com account
to the french_a@kids account and the malicious file BRO detected was
attached.

Do I have this right? What about that Mail Delivery (failur... at the end?
Thanks,
-Brian

Brian Allen
Network Security Analyst
Washington University

Seth_Hall3 · June 12, 2014, 3:02pm

I assume this is an alert for an email that went from that 163.com account
to the french_a@kids account and the malicious file BRO detected was
attached.

Yep.

Do I have this right? What about that Mail Delivery (failur... at the end?

The "..." indicates that the content was trimmed.

.Seth

Topic		Replies	Views
Question from a beginner Zeek	2	57	May 6, 2022
Confimation on Bro 2.5 MHR feature Zeek	2	58	May 6, 2022
http-ext-identified-files Zeek	4	100	May 6, 2022
Basic Alerts/Email questions Zeek	4	85	May 6, 2022
Changing notice log entry actions from Action::Log to Action::Email Zeek	3	70	May 6, 2022

teamcymru alerts

Related Topics