[Snort-sigs] Bleeding addition

Brian bmc at ...95...
Mon Jun 28 10:58:00 EDT 2004


On Mon, Jun 28, 2004 at 01:46:22PM -0400, Dan Michitsch wrote:
> Yeah, I have a sig I made that I REALLY like because if I take the time
> to keep $SMTP_SERVERS accurate, then I can quickly see if another
> computer (probably worm infected) is sending out more that five emails
> within 60 seconds.  Any fewer than five emails is proabbly normal and I
> don't want an alert for EVERY email.  I only use the following rule:
> 
> alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (sid:2000327;
> msg:"Multiple Non-SMTP Server Emails";flags: S; threshold: type
> threshold, track by_src, count 5 , seconds 60; classtype:misc-activity;
> rev:1;)

Why not try this?

Instead of what you have, alert after 5 messages in one minute:

    threshold:type threshold,track by_src,count 5,seconds 60; 

Try this, one alert per "unlisted" email server per day:

    threshold:type limit,track by_src,count 1,seconds 86400;

Brian




More information about the Snort-sigs mailing list