[Snort-sigs] Bleeding addition

Dan Michitsch dmichitsch at ...2066...
Mon Jun 28 10:47:01 EDT 2004


Yeah, I have a sig I made that I REALLY like because if I take the time
to keep $SMTP_SERVERS accurate, then I can quickly see if another
computer (probably worm infected) is sending out more that five emails
within 60 seconds.  Any fewer than five emails is proabbly normal and I
don't want an alert for EVERY email.  I only use the following rule:

alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (sid:2000327;
msg:"Multiple Non-SMTP Server Emails";flags: S; threshold: type
threshold, track by_src, count 5 , seconds 60; classtype:misc-activity;
rev:1;)

(In my environment I see SMTP traffic amongst various internal servers
so that's why I ignore emails between known SMTP_SERVERS)

ymmv,

-Dan

>>> Brian <bmc at ...95...> 06/28/04 01:21PM >>>
On Mon, Jun 28, 2004 at 11:38:54AM -0500, Matthew Jonkman wrote:
> What they'll do is help you find infected hosts. It's been working
very 
> well for us for some time. You can generally narrow down the hosts
that 
> should be sending mail to 5 or 10, these sigs will tell you where
they 
> are quickly, then add them to the SMTP_SERVERS var. Lots of good info

> will come from these. We've also caught a few vendors sending 
> 'anonymous' system information without our awareness. :)
> 
> pass tcp $SMTP_SERVERS any -> any 25 ( sid:2000324; rev: 1; 
> msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
> pass tcp any any -> $SMTP_SERVERS 25 ( sid:2000325; rev: 1; 
> msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
> alert tcp !$SMTP_SERVERS any -> any 25 ( sid:2000326; rev: 1; 
> msg:"BLEEDING-EDGE Possible UnAuthorized SMTP Traffic"; content:"RCPT

> TO"; nocase;)
> 
> Again, these are in stable-side for now, they'll go into the 
> bleeding.rules in a few days.

In the process of doing this detection, you have invalidated ALL of
the SMTP rules currently in the system.  Hopefully nobody running
these rules care about attacks on their real mail servers.

Brian


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com 
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list