[Snort-sigs] sid 567 and new mail relay signatures

Jon Hart warchild at ...288...
Thu Sep 4 16:51:02 EDT 2003


On Thu, Sep 04, 2003 at 05:55:10PM -0400, Jason wrote:
> a thought to consider
> 
> why not a byte_test for >= 550 as a status code in conjunction with the 
> content "relay" between two newlines.

550+ might get a few too many false positives.  See section 4.2 of
http://www.faqs.org/rfcs/rfc821.html for some error codes.  Maybe if we
assume some range, like 550-555, that might work a bit better.  I don't
recall ever seeing newlines...  

Another thing I've been seeing lately is mail servers throwing 550
errors if the content is unacceptable (i.e., virus), so this makes
things difficult because the number of alerts could really skyrocket.

> It is not a perfect solution but forging and crafting should be a non 
> issue since the server is the one returning the status code. Wonder what 
> performance impacts there would be too but since there would be several 
> content checks it should be ok.

Very true, especially given that this rule uses 'flow'.  Before, when
simple flags were used, any jerk with a packet crafter could really ring
some bells.  I don't think there will be any sort of performance hit.
At worst, there might be two or three content matches, which is no worse
than existing rules.

-jon




More information about the Snort-sigs mailing list