LoFP LoFP / internal hosts that legitimately send mail to external mail transfer agents listening on tcp port 26 may cause false positives. mail servers or applications with known external smtp relays can be excluded by source or destination ip address as this is expected behavior.

Techniques

Sample rules

SMTP to the Internet on Port 26/TCP

Description

This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.

Detection logic

(data_stream.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and
  network.transport:tcp and destination.port:26 and
  source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and
  not destination.ip:(10.0.0.0/8
    or 100.64.0.0/10
    or 127.0.0.0/8
    or 169.254.0.0/16
    or 172.16.0.0/12
    or 192.0.0.0/24
    or 192.0.0.0/29
    or 192.0.0.10/32
    or 192.0.0.170/32
    or 192.0.0.171/32
    or 192.0.0.8/32
    or 192.0.0.9/32
    or 192.0.2.0/24
    or 192.168.0.0/16
    or 192.175.48.0/24
    or 192.31.196.0/24
    or 192.52.193.0/24
    or 192.88.99.0/24
    or 198.18.0.0/15
    or 198.51.100.0/24
    or 203.0.113.0/24
    or 224.0.0.0/4
    or 240.0.0.0/4
    or "::1"
    or "FE80::/10"
    or "FF00::/8")