[Snort-sigs] http post on port 25

hans rosa.schwein at ...2991...
Tue Feb 8 08:47:40 EST 2005


hi all 

this days i noticed some strange dialogs on smtp port 25
hosts around the world are trying to setup a dialog
immediatly after the SYN - SYN ACK - ACK frames
with the following content:
 POST / HTTP/1.1
 Host: my.hostname.com:25
 Content-Type: text/plain
 ... and so on

o.k. - i am not crazy, i really speak about e-mail, and 
this is not the content of the message body, it's the tcp-flow
later in the dialog there is a rset, but game over 
with sendmail and greeting feature. 

there are some additional infos, like a tcpdump and a rule for 
snort, to find at  http://ma.yer.at/2005/smtp_post.html

i would be interested, if you could also notice such traffic.
i can't belive, are there any mail-gateways, which respond to
http-post-commands on port 25 ? 

here the rule, which does the job for me perfectly:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST"; flow:to_server,established; content:"post"; nocase; content:"/"; nocase; pcre:"/^post\s+\/\s+http\/1.1/smi"; classtype:attempted-recon; sid:050201; rev:10;)

i am new to snort, so i don't know if this rule is correct, 
for example, i don't know where to get a correct sid, i took 
the current date. 
what i did, i took an other smtp-rule and did modify the content. 


best regards 
hans 

p.s.: i hope this is the correct forum, or should i post 
      in the Snort-users list ? 

-- 





More information about the Snort-sigs mailing list