[Snort-sigs] Bleeding addition

Adrian Marsden amarsden at ...2045...
Mon Jun 28 10:51:01 EDT 2004


If you are looking for outbound SMTP then the probability is high that
you only want your mail servers sending out email.

The easy way to do that is to prevent all outbound access on port 25 at
the firewall except for the mail servers themselves. In that way the
virus does not get propagated and you get warned by the firewall logs of
which machines have a virus with it's own SMTP engine, (which is almost
every one).

Much easier and more efficient than writing rules to catch unauthorized
traffic then have to go chasing it down after the fact. If it's
unauthorized and you can prevent it, prevent it first if at all
possible.

-----Original Message-----
From: Brian [mailto:bmc at ...95...] 
Sent: Monday, June 28, 2004 1:21 PM
To: Matthew Jonkman
Cc: snort-sigs mailinglist
Subject: Re: [Snort-sigs] Bleeding addition

On Mon, Jun 28, 2004 at 11:38:54AM -0500, Matthew Jonkman wrote:
> What they'll do is help you find infected hosts. It's been working
very 
> well for us for some time. You can generally narrow down the hosts
that 
> should be sending mail to 5 or 10, these sigs will tell you where they

> are quickly, then add them to the SMTP_SERVERS var. Lots of good info 
> will come from these. We've also caught a few vendors sending 
> 'anonymous' system information without our awareness. :)
> 
> pass tcp $SMTP_SERVERS any -> any 25 ( sid:2000324; rev: 1; 
> msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
> pass tcp any any -> $SMTP_SERVERS 25 ( sid:2000325; rev: 1; 
> msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
> alert tcp !$SMTP_SERVERS any -> any 25 ( sid:2000326; rev: 1; 
> msg:"BLEEDING-EDGE Possible UnAuthorized SMTP Traffic"; content:"RCPT 
> TO"; nocase;)
> 
> Again, these are in stable-side for now, they'll go into the 
> bleeding.rules in a few days.

In the process of doing this detection, you have invalidated ALL of
the SMTP rules currently in the system.  Hopefully nobody running
these rules care about attacks on their real mail servers.

Brian


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list