[Snort-sigs] SID 567 incomplete

Jon Hart jhart at ...289...
Tue Jan 22 20:26:01 EST 2002


I just noticed while preparing a writeup for uncle snort.

warchild at ...292...
[~]$ telnet mail.ccs.neu.edu 25
Trying 129.10.116.51...
Connected to amber.ccs.neu.edu.
Escape character is '^]'.
220 amber.ccs.neu.edu ESMTP Postfix
helo foo.bar.com
250 amber.ccs.neu.edu
mail from: warchild_is_a_spammer at ...288...
250 Ok
rcpt to: my_spamlist at ...294...
554 <my_spamlist at ...294...>: Recipient address rejected: Relay access
denied

#####
alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"INFO SMTP relaying denied";
flags: A+; content: "550 5.7.1"; depth:70; reference:arachnids,249;
classtype:misc-activity; sid:567; rev:5;) 
#####

567 will not catch this attempted mail relay.  I propose the following in
addition to SID 567 to catch relaying attempts:

#####
alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"INFO SMTP relaying denied";
flags: A+; content: "554*Relay access denied"; regex; depth:70;
reference:arachnids,249; classtype:misc-activity; sid:1405; rev:1;)
#####

I'm not too keen on Snort's regex capabilities, but I'm sure if I'm off
track someone can easily clean this thing up.

-warchild




More information about the Snort-sigs mailing list