[Snort-devel] How detect relaying with qmail and snort ?

Frank Knobbe fknobbe at ...337...
Thu May 29 10:10:06 EDT 2003


On Tue, 2003-05-27 at 12:08, r2d2r4 at ...2002... wrote:
> I add this rule on smtp.rules and snort detect relaying with qmail :
> 
> alert tcp $SMTP_SERVERS 25 -> $ANY any (msg:"POLICY SMTP relaying denied"; flow:
> established,from_server; content: "553 sorry, that domain isn't in my list of al
> lowed rcpthosts"; depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html; classt
> ype:misc-activity; )


I believe it should be:
alert tcp any any -> $SMTP_SERVERS 25 (msg:"POLICY SMTP relaying
denied"; flow:established,from_server; content: "553 sorry, that domain
isn't in my list of allowed rcpthosts"; nocase; depth:70;
reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; )

Note that the session is set up by the client so you have any -> server.
Also, I added nocase in case the "Sorry" is capitalized.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030529/9d01d735/attachment.sig>


More information about the Snort-devel mailing list