[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Dale L. Handy dhandy at ...1244...
Thu Jun 5 14:13:01 EDT 2003


Hmm, well, FWIW, to least log it, you would write something simple like 
this (note the colon after the 1024):

alert tcp $HOME_NET 25 -> $EXTERNAL_NET 1024: (msg:"SMTP User unknown"; 
 flow:from_server, established; content:"user unknown"; nocase; 
sid:1000001;)

Where HOME_NET and EXTERNAL_NET have been set up appropriately, e.g.:

var HOME_NET 10.1.2.0/24
var EXTERNAL_NET !$HOME_NET



Steve Cody wrote:

>Ok, my setup is like this.  It's very small scale.  My linux box running
>Sendmail is also the host running snort.  It's a single machine
>co-located on a T1.  The only thing between the machine and the Internet
>is the router.
>
>Since I haven't tried to write any rules, if someone could give me an
>example of matching some text based on "User unknown" being sent back
>from my server with a source port of 25 and destation port of 1024 or
>greater and seeing a certain number of matches before doing RST's.
>
>Thanks again!
>Steve
>
>On Wed, 2003-06-04 at 19:54, james wrote:
>  
>
>>My experience with dictionary attacks is they come at a great rate of speed.
>>They are also launched for other peoples servers. So resetting will be a lot of
>>packets & unless the placement of the of the Snort box is ideal you will need
>>RST's back to your mail server, also. A lot o packets.
>>
>>Consider Snort in line, however, it is up to you to write a rule that can fire
>>on a dictionary attack.
>>
>>We use the Postini service for this.
>>
>>james
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
>>thread debugger on the planet. Designed with thread debugging features
>>you've never dreamed of, try TotalView 6 free at www.etnus.com.
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>    
>>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
>thread debugger on the planet. Designed with thread debugging features
>you've never dreamed of, try TotalView 6 free at www.etnus.com.
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dale at ...1527...          (208) 552-5332 (work)          (208) 403-6424 (cell)






More information about the Snort-sigs mailing list