[Snort-sigs] Using snort to stop SMTP dictionary attacks]

Erek Adams erek at ...95...
Thu Jun 5 21:37:05 EDT 2003


On Wed, 4 Jun 2003, Steve Cody wrote:

[...snip...]

> Since I haven't tried to write any rules, if someone could give me an
> example of matching some text based on "User unknown" being sent back
> from my server with a source port of 25 and destation port of 1024 or
> greater and seeing a certain number of matches before doing RST's.

I won't even discuss how bad you can hurt yourself with FlexResp.  If
you're curious, check the archives for snort-users and search for
'auto blocking', 'flexresp', or 'session sniping'.  Lotsa reading...  :)

Snort doesn't have the ability to do 'thresholding', so that can't be
done.

If you aproach the problem backwards, you have a shot at making it work.
Have a rules file that contains pass rules for each and every valid email
address at your site, then block everything else.  Just be sure to change
your rule order (-o or use a 'config order' statement).

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list