[Snort-sigs] http post on port 25
rosa.schwein at ...2991...
Tue Feb 8 08:47:40 EST 2005
this days i noticed some strange dialogs on smtp port 25
hosts around the world are trying to setup a dialog
immediatly after the SYN - SYN ACK - ACK frames
with the following content:
POST / HTTP/1.1
... and so on
o.k. - i am not crazy, i really speak about e-mail, and
this is not the content of the message body, it's the tcp-flow
later in the dialog there is a rset, but game over
with sendmail and greeting feature.
there are some additional infos, like a tcpdump and a rule for
snort, to find at http://ma.yer.at/2005/smtp_post.html
i would be interested, if you could also notice such traffic.
i can't belive, are there any mail-gateways, which respond to
http-post-commands on port 25 ?
here the rule, which does the job for me perfectly:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST"; flow:to_server,established; content:"post"; nocase; content:"/"; nocase; pcre:"/^post\s+\/\s+http\/1.1/smi"; classtype:attempted-recon; sid:050201; rev:10;)
i am new to snort, so i don't know if this rule is correct,
for example, i don't know where to get a correct sid, i took
the current date.
what i did, i took an other smtp-rule and did modify the content.
p.s.: i hope this is the correct forum, or should i post
in the Snort-users list ?
More information about the Snort-sigs