[Snort-users] sorta new at doing this with snort

Don Don at ...5881...
Wed Jul 3 23:51:04 EDT 2002


any help would be appreciated, i have a mail server, of course, and am
currently getting bombarded with the $domain type of spam, and bogus address
stuff, the spam doesnt relay, but everyone of my users get tons of email
from tehmselves, and every other username or list name on the network,
primarily postmaster/webmaster etc... i'd like to get snort to alert when
anything/anyone connects to my mail server with the $domain as their helo or
ehlo name, and as a result of the alert, automatically place that ip in a
block list using iptables or whatever i have the option to use, possibly
blocking the ip for a period of time, or indefinitly or until i remove
manually, any of those options would work for me really, any ideas, if you
need more info on what i am trying to do, contact me off-list and i'll try
to explain in more detail.
also
i'd like to setup a seperate rule on other boxes to look for, say the word,
"bogus" or "thisismypassword" or any single word on a specific port, any
suggestions on how to do that. in one case i wish to make sure passwords
arent sent in cleartext, in another case, i just want to see if particular
words are passed thru port 20 for instance.

win32/win2k latest snort and ruleset, as of a week or 2 ago

Don






More information about the Snort-users mailing list