[Snort-sigs] How detect relaying with qmail and snort ?

daniel.clemens daniel_clemens at ...842...
Thu May 29 10:57:06 EDT 2003


On 28 May 2003 r2d2r4 at ...1548... wrote:

> Hi,
>
> I test snort 191b234 and 200b072,
>
> and qmail103 ...
>
> I run relaying test with abuse.net,
>
> but snort not event this test,
>
> Snort not have relaying rule with qmail,
>
> I add this rule on smtp.rules and snort detect relaying with qmail :
>
> alert tcp $SMTP_SERVERS 25 -> $ANY any (msg:"POLICY SMTP relaying denied"; flow:
> established,from_server; content: "553 sorry, that domain isn't in my list of al
> lowed rcpthosts"; depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html; classt
> ype:misc-activity; )

you might want to change the $ANY var to be just 'any' .

> Please cc me to your answers.

-Dan
-------------------------------------------------------------------------------------------------------------
Esse quam videra
    		(to be, rather than to appear)
--------------------------------------------------------------------------------------------------------------





More information about the Snort-sigs mailing list