[Snort-sigs] SMTP versus POP3

Michael Scheidell scheidell at ...249...
Sun Apr 28 18:47:02 EDT 2002


> Hi,
> 
> I noticed that most of the virus/worm rules are for POP3 traffic only. I 
> would expect that SMTP is even a more likely candidate for this sort of 
> traffic.
> 
> I could not tell wether IMAP might be useful as well but I find the lack 
> of SMTP signatures a bit disturbing.
> 
> Hugo.
> 
> PS: I know I could just copy it and change 110 into 25 but I would expect 
> a more permanent solution.

I was just looking at those.
 need two sets, ingress and egress rules.

in fact, worms can come in through http also, (web based email)
so, 

alert tcp any 25:110 <> any any (worm rule)

I guess the pop3 rule is assuming that the company has an antivirus
software (that is more up to date then snort rules) on their mail mail
server and this just tries to catch the lusers who try to pop3 around to
personal accounts.

In that case, AT LEAST, do this to rules

alert tcp any 80:110 -> any any
(but, done a lot of the rules depend on content headers? are then in web
based mail?)

sed '/tcp any 110/s/tcp any 110/tcp any 80:110/' < virus.rules > tmp
mv tmp virus.rules

doesn't make sense to 
alert tcp $EXTERNAL_NET 80:110 -> $HOME_NET :1023

since luser COULD pop from homenet mail server back to external net.

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list