This policy contains rules that detect Sendmail broken pipe error messages (Sendmail Header Processing Buffer Overflow Vulnerability). These error messages can be a result of a configuration error or an indication of malicious activity associated with Sendmail.

Download ITA Sendmail_BrokenPipe_Messages Policy

Affected Platforms

Sendmail (All Versions)

Description

This policy detects Sendmail broken pipe error messages sent to syslog.

Policy rules include:

• Sendmail_BrokenPipe_Detected
  This rule generates an event when multiple Sendmail broken pipe error messages are sent to syslog.

Configuring External Audit Log Monitoring

If Sendmail is configured to send error messages to logs other than syslog, it is recommended ITA be configured to monitor that log. To configure Intruder Alert to monitor an external mail log, follow the steps below.

1. In the Registered Agents branch, select the Agent on the web server.
   
   
   
   
2. Click NEW
   
   The Audit Log dialog box appears.
   
   
   
   
3. In the Description box, type a description of the log file.
   
   
4. In the File Name box, type the path and the filename to monitor. In this case the Sendmail maillog file will be found in the following location /var/log/maillog.
   
   
5. Select Single Line for the single line log file.
   
   
6. Select OK.
   
   
7. Select Save from the Agent Configuration view.