[Snort-sigs] SMTP versus POP3
Imran William Smith
iwsmith at ...500...
Sun Apr 28 19:16:02 EDT 2002
While we're on the subject of Viruses, the guy who installed
our corporate anti-virus solution (trend micro, plugged in to
squid proxy, I heard) said although snort has a open source
effort for IDS signatures, there is no comparative open source
effort for virus signatures (i.e. trying to make an open source
antivirus solution, with no payment for up-to-date signatures).
Isn't that a shame? Anybody though of doing something about
it? I appreciate that a lot of the hard work is developing the
internal engine that the signatures read into.
Of if there is such a thing, could anybody give URLs?
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia
----- Original Message -----
From: "Michael Scheidell" <scheidell at ...249...>
To: "Hugo van der Kooij" <hvdkooij at ...481...>
Cc: "snort-sigs mailinglist" <snort-sigs at lists.sourceforge.net>
Sent: Monday, April 29, 2002 9:46 AM
Subject: Re: [Snort-sigs] SMTP versus POP3
| > Hi,
| > I noticed that most of the virus/worm rules are for POP3 traffic only. I
| > would expect that SMTP is even a more likely candidate for this sort of
| > traffic.
| > I could not tell wether IMAP might be useful as well but I find the lack
| > of SMTP signatures a bit disturbing.
| > Hugo.
| > PS: I know I could just copy it and change 110 into 25 but I would expect
| > a more permanent solution.
| I was just looking at those.
| need two sets, ingress and egress rules.
| in fact, worms can come in through http also, (web based email)
| alert tcp any 25:110 <> any any (worm rule)
| I guess the pop3 rule is assuming that the company has an antivirus
| software (that is more up to date then snort rules) on their mail mail
| server and this just tries to catch the lusers who try to pop3 around to
| personal accounts.
| In that case, AT LEAST, do this to rules
| alert tcp any 80:110 -> any any
| (but, done a lot of the rules depend on content headers? are then in web
| based mail?)
| sed '/tcp any 110/s/tcp any 110/tcp any 80:110/' < virus.rules > tmp
| mv tmp virus.rules
| doesn't make sense to
| alert tcp $EXTERNAL_NET 80:110 -> $HOME_NET :1023
| since luser COULD pop from homenet mail server back to external net.
| Michael Scheidell
| SECNAP Network Security, LLC
| (561) 368-9561 scheidell at ...249...
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs