[Snort-users] sudden increase in "Mail Login" matches
NSpande at ...620...
Thu Nov 30 10:00:53 EST 2000
Nope, that's the odd part. It has been matching on traffic to ports other
than 110 - specifically I've seen matches to ports 25 and 80, with various
high numbered ports on the other end of the connection. We do allow HTTP
and SMTP :)
I'm looking at a packet now that triggered it. The source port is 62997,
dest is 80. The cookie passed contains the string USER, flages PA, source
IP is not in $HOME_NET, dest IP is in $HOME_NET. That all seems right,
except for the port. I'd normally attach a packet, but this is traffic to
one of our e-commerce servers, so I'm a bit hesitant to do that. Let me
know if the info given isn't enough to help debug.
The version of snort used is whatever was in CVS module snort yesterday.
From: Martin Roesch [mailto:roesch at ...421...]
Sent: Thursday, November 30, 2000 2:03 AM
To: Nathan Spande
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] sudden increase in "Mail Login" matches
This rule looks like it goes off any time someone logs into your POP3 server
from outside your network. Do you allow external POP3 access?
Nathan Spande wrote:
> Hey all,
> I noticed recently that when I grabbed the most recent source out of CVS,
> that this rule (and the parallel one that checks for PASS) started
> tons of web traffic. Very odd indeed. It looks like these are two of a
> very small set of rules that use the "<>" operator. Any chance that
> something recently changed that would have caused that to start ignoring
> ports? It looks like the content always matches (cookies that have USER
> fields, you know), but neither port does.
> alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA;
> content:"USER"; logto:"MAIL";)
> I noticed a fix for a "!" problem recently, but applying that fix didn't
> take care of this.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
roesch at ...421...
More information about the Snort-users