[Snort-sigs] Bleeding addition

Matthew Jonkman matt at ...2436...
Mon Jun 28 09:39:03 EDT 2004

These are being added to Stable-Side for now. I'll move them over into 
Stable and the bleeding.rules in a day or so. You can see them now at 

If you want to use these rules you need to add var SMTP_SERVERS to your 
snort.conf's. It'll make snort fail if you don't. That's why they're not 
going into the stable right off. Want to give everyone time to either 
add it or disable the rules in their local conf.

What they'll do is help you find infected hosts. It's been working very 
well for us for some time. You can generally narrow down the hosts that 
should be sending mail to 5 or 10, these sigs will tell you where they 
are quickly, then add them to the SMTP_SERVERS var. Lots of good info 
will come from these. We've also caught a few vendors sending 
'anonymous' system information without our awareness. :)

pass tcp $SMTP_SERVERS any -> any 25 ( sid:2000324; rev: 1; 
msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
pass tcp any any -> $SMTP_SERVERS 25 ( sid:2000325; rev: 1; 
msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
alert tcp !$SMTP_SERVERS any -> any 25 ( sid:2000326; rev: 1; 
msg:"BLEEDING-EDGE Possible UnAuthorized SMTP Traffic"; content:"RCPT 
TO"; nocase;)

Again, these are in stable-side for now, they'll go into the 
bleeding.rules in a few days.



More information about the Snort-sigs mailing list