[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Rich Adamson radamson at ...908...
Thu Jun 5 06:29:02 EDT 2003

Be carefull with the flex-resp option. Some spammers and hackers ignore the 
RST packet, and simply reseting the sendmail port doesn't actually accomplish
anything usefull. Sending the flex-resp RST packet will not happen
immediately; it will occur some time "after" the dataflow has been analyzed,
rules applied, etc, which generally allows several more inbound packets to
arrive. Also, if snort misses any packets (eg, dropped due to instantanous 
overload) the dataflow won't ever be analyzed and therefore no RST packet.

> You need to recompile snort with the flex-resp option.  Then use the
> flex-resp stuff in a rule.
> -----Original Message-----
> Ok, my setup is like this.  It's very small scale.  My linux box running
> Sendmail is also the host running snort.  It's a single machine co-located
> on a T1.  The only thing between the machine and the Internet is the router.
> Since I haven't tried to write any rules, if someone could give me an
> example of matching some text based on "User unknown" being sent back from
> my server with a source port of 25 and destation port of 1024 or greater and
> seeing a certain number of matches before doing RST's.

More information about the Snort-sigs mailing list