[Snort-sigs] Bleeding addition

Matthew Jonkman matt at ...2436...
Mon Jun 28 11:53:01 EDT 2004


Thanks both Brian and Dan. I've put that rule up on bleeding.

It's going to go into the Stable branch in an hour or so. If you're 
pulling the rules automated-like be sure to add an SMTP_SERVERS var soon.

THanks all

Matt

Dan Michitsch wrote:

> Yeah, I have a sig I made that I REALLY like because if I take the time
> to keep $SMTP_SERVERS accurate, then I can quickly see if another
> computer (probably worm infected) is sending out more that five emails
> within 60 seconds.  Any fewer than five emails is proabbly normal and I
> don't want an alert for EVERY email.  I only use the following rule:
> 
> alert tcp !$SMTP_SERVERS any -> !$SMTP_SERVERS 25 (sid:2000327;
> msg:"Multiple Non-SMTP Server Emails";flags: S; threshold: type
> threshold, track by_src, count 5 , seconds 60; classtype:misc-activity;
> rev:1;)
> 
> (In my environment I see SMTP traffic amongst various internal servers
> so that's why I ignore emails between known SMTP_SERVERS)
> 
> ymmv,
> 
> -Dan
> 
> 
>>>>Brian <bmc at ...95...> 06/28/04 01:21PM >>>
> 
> On Mon, Jun 28, 2004 at 11:38:54AM -0500, Matthew Jonkman wrote:
> 
>>What they'll do is help you find infected hosts. It's been working
> 
> very 
> 
>>well for us for some time. You can generally narrow down the hosts
> 
> that 
> 
>>should be sending mail to 5 or 10, these sigs will tell you where
> 
> they 
> 
>>are quickly, then add them to the SMTP_SERVERS var. Lots of good info
> 
> 
>>will come from these. We've also caught a few vendors sending 
>>'anonymous' system information without our awareness. :)
>>
>>pass tcp $SMTP_SERVERS any -> any 25 ( sid:2000324; rev: 1; 
>>msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
>>pass tcp any any -> $SMTP_SERVERS 25 ( sid:2000325; rev: 1; 
>>msg:"BLEEDING-EDGE Ignore Authorized SMTP Traffic";)
>>alert tcp !$SMTP_SERVERS any -> any 25 ( sid:2000326; rev: 1; 
>>msg:"BLEEDING-EDGE Possible UnAuthorized SMTP Traffic"; content:"RCPT
> 
> 
>>TO"; nocase;)
>>
>>Again, these are in stable-side for now, they'll go into the 
>>bleeding.rules in a few days.
> 
> 
> In the process of doing this detection, you have invalidated ALL of
> the SMTP rules currently in the system.  Hopefully nobody running
> these rules care about attacks on their real mail servers.
> 
> Brian
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list