[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Erek Adams erek at ...95...
Thu Jun 5 21:37:05 EDT 2003

On Wed, 4 Jun 2003, Steve Cody wrote:


> Since I haven't tried to write any rules, if someone could give me an
> example of matching some text based on "User unknown" being sent back
> from my server with a source port of 25 and destation port of 1024 or
> greater and seeing a certain number of matches before doing RST's.

I won't even discuss how bad you can hurt yourself with FlexResp.  If
you're curious, check the archives for snort-users and search for
'auto blocking', 'flexresp', or 'session sniping'.  Lotsa reading...  :)

Snort doesn't have the ability to do 'thresholding', so that can't be

If you aproach the problem backwards, you have a shot at making it work.
Have a rules file that contains pass rules for each and every valid email
address at your site, then block everything else.  Just be sure to change
your rule order (-o or use a 'config order' statement).


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list