[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Steve Cody snortadmin at ...1556...
Wed Jun 4 17:21:09 EDT 2003

Ok, my setup is like this.  It's very small scale.  My linux box running
Sendmail is also the host running snort.  It's a single machine
co-located on a T1.  The only thing between the machine and the Internet
is the router.

Since I haven't tried to write any rules, if someone could give me an
example of matching some text based on "User unknown" being sent back
from my server with a source port of 25 and destation port of 1024 or
greater and seeing a certain number of matches before doing RST's.

Thanks again!

On Wed, 2003-06-04 at 19:54, james wrote:
> My experience with dictionary attacks is they come at a great rate of speed.
> They are also launched for other peoples servers. So resetting will be a lot of
> packets & unless the placement of the of the Snort box is ideal you will need
> RST's back to your mail server, also. A lot o packets.
> Consider Snort in line, however, it is up to you to write a rule that can fire
> on a dictionary attack.
> We use the Postini service for this.
> james
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list