[Snort-sigs] Update on the non-smtp server rule

Matthew Jonkman matt at ...2436...
Tue Aug 17 18:13:48 EDT 2004


I think the first version of the rule that went up had that typo in it. 
It was corrected shortly after. I'd imagine you had that first version.

The current version was corrected, shortly after the first was posted. 
The current version is:

alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE 
Multiple Non-SMTP Server Emails";flags: S; threshold: type threshold, 
track by_src,count 10, seconds 60; classtype:misc-activity; rev:2; 
sid:2000328;)

The threshold was up'd to 10 in 60 seconds, I think that's the only real 
difference. Other than the typo fix.

Thanks

Matt

Eric Hines wrote:
> For those of you who are using the bleedingsnort.com rules, one of our
> customers found a typo in the non-smtp server rules A "space" needs to be
> put in between type threshold. This causes snort to error with:
> 
> "ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4
> pairs
> Fatal Error, Quitting.."
> 
> 
> 
> ORIGINAL RULE
> ###############
> 
> #Unauthorized Email Rule
> alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE
> Multiple N
> on-SMTP Server Emails";flags: S; threshold: typethreshold, track by_src,
> count
> 5 , seconds 60; classtype:misc-activity;rev:1; sid:2000328;)
> 
> 
> FIXED RULE
> #########################
> 
> #Unauthorized Email Rule
> alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (msg:"BLEEDING-EDGE
> Multiple N
> on-SMTP Server Emails";flags: S; threshold: type threshold, track by_src,
> count
> 5 , seconds 60; classtype:misc-activity;rev:1; sid:2000328;)
> 
> 
> 
> 
> Best Regards,
> 
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, Inc.
> Direct: (877) 262-7593 x327
> 
> 
> ---------------------------------------------------------------
> 
> Toll Free: (877) 262-7593 (9am-5pm PST) Monday-Friday
> Direct:    (877) 262-7593 x327
> 
> Address:   1134 N. Main St.
>            Algonquin, IL 60102
> 
> ---------------------------------------------------------------
> 
>  
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list