[Snort-sigs] How detect relaying with qmail and snort ?

r2d2r4 at ...1548... r2d2r4 at ...1548...
Thu May 29 05:32:17 EDT 2003


I test snort 191b234 and 200b072,

and qmail103 ...

I run relaying test with abuse.net,

but snort not event this test,

Snort not have relaying rule with qmail,

I add this rule on smtp.rules and snort detect relaying with qmail :

alert tcp $SMTP_SERVERS 25 -> $ANY any (msg:"POLICY SMTP relaying denied"; flow:
established,from_server; content: "553 sorry, that domain isn't in my list of al
lowed rcpthosts"; depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html; classt
ype:misc-activity; )

Please cc me to your answers.


More information about the Snort-sigs mailing list