[Snort-users] sudden increase in "Mail Login" matches

Martin Roesch roesch at ...421...
Thu Nov 30 02:03:11 EST 2000


This rule looks like it goes off any time someone logs into your POP3 server
from outside your network.  Do you allow external POP3 access?


    -Marty

Nathan Spande wrote:
> 
> Hey all,
> 
> I noticed recently that when I grabbed the most recent source out of CVS,
> that this rule (and the parallel one that checks for PASS) started matching
> tons of web traffic.  Very odd indeed.  It looks like these are two of a
> very small set of rules that use the "<>" operator.  Any chance that
> something recently changed that would have caused that to start ignoring
> ports?  It looks like the content always matches (cookies that have USER
> fields, you know), but neither port does.
> 
> alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA;
> content:"USER"; logto:"MAIL";)
> 
> I noticed a fix for a "!" problem recently, but applying that fix didn't
> take care of this.
> 
> Thanks!
> Nathan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list