[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Esler, Joel Contractor EslerJ at ...785...
Thu Jun 5 04:53:06 EDT 2003


You need to recompile snort with the flex-resp option.  Then use the
flex-resp stuff in a rule.

J

-----Original Message-----
From: Steve Cody [mailto:snortadmin at ...1556...] 
Sent: Wednesday, June 04, 2003 8:21 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Using snort to stop SMTP dictionary attacks]


Ok, my setup is like this.  It's very small scale.  My linux box running
Sendmail is also the host running snort.  It's a single machine co-located
on a T1.  The only thing between the machine and the Internet is the router.

Since I haven't tried to write any rules, if someone could give me an
example of matching some text based on "User unknown" being sent back from
my server with a source port of 25 and destation port of 1024 or greater and
seeing a certain number of matches before doing RST's.

Thanks again!
Steve

On Wed, 2003-06-04 at 19:54, james wrote:
> My experience with dictionary attacks is they come at a great rate of 
> speed. They are also launched for other peoples servers. So resetting 
> will be a lot of packets & unless the placement of the of the Snort 
> box is ideal you will need RST's back to your mail server, also. A lot 
> o packets.
> 
> Consider Snort in line, however, it is up to you to write a rule that 
> can fire on a dictionary attack.
> 
> We use the Postini service for this.
> 
> james
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The 
> best thread debugger on the planet. Designed with thread debugging 
> features you've never dreamed of, try TotalView 6 free at 
> www.etnus.com. _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list