[Snort-sigs] Bleeding addition

Matthew Jonkman matt at ...2436...
Mon Jun 28 10:36:09 EDT 2004


Ahhh. Good point.

Do you have a suggestion as to how to actually do this then?

Matt

Brian wrote:

> On Mon, Jun 28, 2004 at 11:38:54AM -0500, Matthew Jonkman wrote:
> 
>>What they'll do is help you find infected hosts. It's been working very 
>>well for us for some time. You can generally narrow down the hosts that 
>>should be sending mail to 5 or 10, these sigs will tell you where they 
>>are quickly, then add them to the SMTP_SERVERS var. Lots of good info 
>>will come from these. We've also caught a few vendors sending 
>>'anonymous' system information without our awareness. :)
>>
>>pass tcp $SMTP_SERVERS any -> any 25 ( sid:2000324; rev: 1; 
>>msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
>>pass tcp any any -> $SMTP_SERVERS 25 ( sid:2000325; rev: 1; 
>>msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
>>alert tcp !$SMTP_SERVERS any -> any 25 ( sid:2000326; rev: 1; 
>>msg:"BLEEDING-EDGE Possible UnAuthorized SMTP Traffic"; content:"RCPT 
>>TO"; nocase;)
>>
>>Again, these are in stable-side for now, they'll go into the 
>>bleeding.rules in a few days.
> 
> 
> In the process of doing this detection, you have invalidated ALL of
> the SMTP rules currently in the system.  Hopefully nobody running
> these rules care about attacks on their real mail servers.
> 
> Brian
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list