[Snort-users] Multiple Content (not working?)

Matt Kettler mkettler at ...4108...
Wed May 15 10:47:04 EDT 2002

Hmm, as a bit of a side note, this sounds more like a job better fixed by 
configuring your mailserver's access rules or using procmail than using snort.

Also of note, Flexresp is *NOT* a sure thing and you should NEVER count on 
it as a primary line of preventing a known attack. EVER. No, really, if 
you're relying on flexresp to stop traffic you don't want you're going to 
have it fail sooner or later. It's more of a last-ditch effort to stop an 
attack that you did not know was possible on your network. It only really 
has a chance of working due to network latencies, and a deliberate attacker 
can fire off a second packet right behind the offending one to advance the 
sequence number and likely do so before snort can respond.

At any rate, given normal SMTP transactions the from and to lines are not 
likely to be in the same TCP segment, since the server has to reply after 
the "MAIL FROM" command and the "RCPT TO" command. Hence your pass rule 
will not likely ever trigger in reality, unless the person delivering mail 
to your server is not SMTP compliant and is just firing off commands 
without waiting for acknowledgement from the server.

At 05:26 AM 5/15/2002 -0300, you wrote:
>I'm with some problems here while trying to configure
>multiple content options to a rule.
>I need to block a unique e-mail address to send messages
>to all my users, but this messages can be posted to me.
>well... I've tried two rules:
>pass tcp $SMTPX any -> $MYSMTP 25
>(content:"that at ...1266...";nocase;content:"my at ...1266...";n
>alert tcp $SMTPX any -> $MYSMTP 25
>(content:"that at ...1266...";nocase;resp:rst_all;)
>May anyone help me to this work? plz!
>I've lost some nights trying to figure out what's wrong.
>Thanks in advance.
>Best Regards
>Carlos Kumbak
>ckumbak at ...1331...
>Quer ter seu próprio endereço na Internet?
>Garanta já o seu e ainda ganhe cinco e-mails personalizados.
>DomíniosBOL - http://dominios.bol.com.br
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list