[Snort-sigs] SMTP versus POP3

Shane Manners shane.manners at ...567...
Sun Apr 28 19:45:05 EDT 2002

For mail gateway av scanning (linux users) have a look at:



-----Original Message-----
From: Imran William Smith [mailto:iwsmith at ...500...] 
Sent: Monday, April 29, 2002 12:15 PM
To: snort-sigs at lists.sourceforge.net
Cc: sazli at ...500...
Subject: Re: [Snort-sigs] SMTP versus POP3

While we're on the subject of Viruses, the guy who installed our corporate
anti-virus solution (trend micro, plugged in to squid proxy, I heard) said
although snort has a open source effort for IDS signatures, there is no
comparative open source effort for virus signatures (i.e. trying to make an
open source antivirus solution, with no payment for up-to-date signatures).

Isn't that a shame?  Anybody though of doing something about it?  I
appreciate that a lot of the hard work is developing the internal engine
that the signatures read into.

Of if there is such a thing, could anybody give URLs?


Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message ----- 
From: "Michael Scheidell" <scheidell at ...249...>
To: "Hugo van der Kooij" <hvdkooij at ...481...>
Cc: "snort-sigs mailinglist" <snort-sigs at lists.sourceforge.net>
Sent: Monday, April 29, 2002 9:46 AM
Subject: Re: [Snort-sigs] SMTP versus POP3

| > Hi,
| > 
| > I noticed that most of the virus/worm rules are for POP3 traffic 
| > only. I
| > would expect that SMTP is even a more likely candidate for this sort of 
| > traffic.
| > 
| > I could not tell wether IMAP might be useful as well but I find the 
| > lack
| > of SMTP signatures a bit disturbing.
| > 
| > Hugo.
| > 
| > PS: I know I could just copy it and change 110 into 25 but I would 
| > expect
| > a more permanent solution.
| I was just looking at those.
|  need two sets, ingress and egress rules.
| in fact, worms can come in through http also, (web based email) so,
| alert tcp any 25:110 <> any any (worm rule)
| I guess the pop3 rule is assuming that the company has an antivirus 
| software (that is more up to date then snort rules) on their mail mail 
| server and this just tries to catch the lusers who try to pop3 around 
| to personal accounts.
| In that case, AT LEAST, do this to rules
| alert tcp any 80:110 -> any any
| (but, done a lot of the rules depend on content headers? are then in 
| web based mail?)
| sed '/tcp any 110/s/tcp any 110/tcp any 80:110/' < virus.rules > tmp 
| mv tmp virus.rules
| doesn't make sense to
| alert tcp $EXTERNAL_NET 80:110 -> $HOME_NET :1023
| since luser COULD pop from homenet mail server back to external net.
| --
| Michael Scheidell
| SECNAP Network Security, LLC
| (561) 368-9561 scheidell at ...249...
| http://www.secnap.net/
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net 
| https://lists.sourceforge.net/lists/listinfo/snort-sigs

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list