[Snort-users] Multiple Content (not working?)
mkettler at ...4108...
Wed May 15 10:47:04 EDT 2002
Hmm, as a bit of a side note, this sounds more like a job better fixed by
configuring your mailserver's access rules or using procmail than using snort.
Also of note, Flexresp is *NOT* a sure thing and you should NEVER count on
it as a primary line of preventing a known attack. EVER. No, really, if
you're relying on flexresp to stop traffic you don't want you're going to
have it fail sooner or later. It's more of a last-ditch effort to stop an
attack that you did not know was possible on your network. It only really
has a chance of working due to network latencies, and a deliberate attacker
can fire off a second packet right behind the offending one to advance the
sequence number and likely do so before snort can respond.
At any rate, given normal SMTP transactions the from and to lines are not
likely to be in the same TCP segment, since the server has to reply after
the "MAIL FROM" command and the "RCPT TO" command. Hence your pass rule
will not likely ever trigger in reality, unless the person delivering mail
to your server is not SMTP compliant and is just firing off commands
without waiting for acknowledgement from the server.
At 05:26 AM 5/15/2002 -0300, you wrote:
>I'm with some problems here while trying to configure
>multiple content options to a rule.
>I need to block a unique e-mail address to send messages
>to all my users, but this messages can be posted to me.
>well... I've tried two rules:
>pass tcp $SMTPX any -> $MYSMTP 25
>(content:"that at ...1266...";nocase;content:"my at ...1266...";n
>alert tcp $SMTPX any -> $MYSMTP 25
>(content:"that at ...1266...";nocase;resp:rst_all;)
>May anyone help me to this work? plz!
>I've lost some nights trying to figure out what's wrong.
>Thanks in advance.
>ckumbak at ...1331...
>Quer ter seu próprio endereço na Internet?
>Garanta já o seu e ainda ganhe cinco e-mails personalizados.
>DomíniosBOL - http://dominios.bol.com.br
>Have big pipes? SourceForge.net is looking for download mirrors. We supply
>the hardware. You get the recognition. Email Us: bandwidth at ...382...
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users