[Snort-users] Count option WAS smtp rcpt to overflow
greg at ...5676...
Thu Jun 13 17:44:17 EDT 2002
I have been trying to use Snort to help us deal with a 'Joe Job' style
spam attack. (A domain we host was used as the From address for a spam
run that has meant that we are receiving all the undeliverables -- all 1
million+ and counting - over 6Gb easily)
One of the things that would be really great was if snort could deal
with a rule if it was seen 'x' number of times within a certain
timeframe. Kinda like the portscan stuff I guess.
Just an idea while I was playing with Snort a few nights ago.
From: Edwin Eefting [mailto:edwin at ...2758...]
Sent: Thursday, 6 June 2002 1:32 AM
To: Hugo Ferr; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] smtp rcpt to overflow
On Wed, 5 Jun 2002 10:44:42 -0400 Hugo Ferr <snortgrp at ...125...>
> 'SMTP RCPT TO' overflow is buffer overflow for Lotus Sevrers. I have
<snip> (maybe there should be added some "count option" for such
to these rules.)
More information about the Snort-users