[Snort-sigs] Update on the non-smtp server rule

Eric Hines eric.hines at ...1663...
Tue Aug 17 11:21:03 EDT 2004


For those of you who are using the bleedingsnort.com rules, one of our
customers found a typo in the non-smtp server rules A "space" needs to be
put in between type threshold. This causes snort to error with:

"ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4
pairs
Fatal Error, Quitting.."



ORIGINAL RULE
###############

#Unauthorized Email Rule
alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE
Multiple N
on-SMTP Server Emails";flags: S; threshold: typethreshold, track by_src,
count
5 , seconds 60; classtype:misc-activity;rev:1; sid:2000328;)


FIXED RULE
#########################

#Unauthorized Email Rule
alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE
Multiple N
on-SMTP Server Emails";flags: S; threshold: type threshold, track by_src,
count
5 , seconds 60; classtype:misc-activity;rev:1; sid:2000328;)




Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
Direct: (877) 262-7593 x327


---------------------------------------------------------------

Toll Free: (877) 262-7593 (9am-5pm PST) Monday-Friday
Direct:    (877) 262-7593 x327

Address:   1134 N. Main St.
           Algonquin, IL 60102

---------------------------------------------------------------

 





More information about the Snort-sigs mailing list