smtp flowbits (Was: Re: [Snort-sigs] False positive sid:498)

Mike Pomraning mjp-snortsigs at ...1399...
Wed Mar 23 20:45:32 EST 2005


On Wed, 23 Mar 2005, Mike Pomraning wrote:

>   # Ignore SMTP "DATA" from clients
>   alert tcp any any -> any 25
>     (msg:"SMTP DATA begun"; content: "|0D 0A|DATA|0D 0A|";
> 	  flowbits:set,opaque; flowbits:noalert; ...)

Hate to reply to my own post, but I realized I gave flowbits the short
shrift here -- they may be twiddled or checked by either side of the stream.
Rather than trust the client to identify when we're in or out of SMTP 'DATA'
mode, we can instead watch the server's pronouncement of the same:

   alert tcp any 25 -> any any
     (msg: "SMTP DATA Begun (354 seen)"; content: "|0D 0A|354";
 	 flow: established,from_server,only_stream;
 	 flowbits:set,SMTP-Data; flowbits: noalert; ...)

   alert tcp any 25 -> any any
     (msg: "SMTP DATA Ended (Response seen)";
 	 flowbits:isset,SMTP-Data; pcre: "/^354[^\n]+\n./m"; ...;)

and still use 'flowbits: isnotset,SMTP-Data' to limit F-Ps on client traffic
in SIDs like 498.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list