[Snort-sigs] Using snort to stop SMTP dictionary attacks]
erek at ...95...
Thu Jun 5 21:37:05 EDT 2003
On Wed, 4 Jun 2003, Steve Cody wrote:
> Since I haven't tried to write any rules, if someone could give me an
> example of matching some text based on "User unknown" being sent back
> from my server with a source port of 25 and destation port of 1024 or
> greater and seeing a certain number of matches before doing RST's.
I won't even discuss how bad you can hurt yourself with FlexResp. If
you're curious, check the archives for snort-users and search for
'auto blocking', 'flexresp', or 'session sniping'. Lotsa reading... :)
Snort doesn't have the ability to do 'thresholding', so that can't be
If you aproach the problem backwards, you have a shot at making it work.
Have a rules file that contains pass rules for each and every valid email
address at your site, then block everything else. Just be sure to change
your rule order (-o or use a 'config order' statement).
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs