[Snort-users] SMTP Relaying bug

Pauling pauling at ...7196...
Tue Jan 14 14:03:05 EST 2003


That's exactly my point, However I feel that the rule itself is confusing, 
becuase when looking at the syslog style log messages, you get (Your IP 
address) -> (adress of attempted relay tester) SMTP Relaying denied.

To me it seems that the snort rules language exibits a weakness here, 
simply by being able to determine which way the "550 5.7.1" goes, rather 
than showing that the blocked message come to your system.


On Tue, 14 Jan 2003, L. Christopher Luther wrote:

> 
> If you're talking about the following rule:  
> 
> alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied";
> flags:A+; content: "550 5.7.1"; depth:70;
> reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
> classtype:misc-activity; sid:567; rev:8;)
> 
> then what you have is a rule that traps when *your* mail server responds
> from its own TCP port 25 to any outside network on any port, and the
> response contains the text "550 5.7.1".  This implies that someone outside
> your network attempted to use your SMTP server as a relay point and your
> server denied the relay attempt, not that your server is attempting to send
> mail through a closed relay.  That rule would be something like:  
> 
> alert tcp $EXTERNAL_NET 25 -> $SMTP any (msg:"POLICY SMTP relaying denied";
> flags:A+; content: "550 5.7.1"; depth:70;
> reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
> classtype:misc-activity; sid:567; rev:8;)  
> 
> Hope this helps.  
> 
> Christopher
> 
> -----Original Message-----
> Date: Tue, 14 Jan 2003 12:22:36 -0500 (EST)
> From: Pauling <pauling at ...7196...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] SMTP Relaying bug
> 
> Has anybody noticed this, that the Alert for an SMTP relay attack monitors 
> the 550 RELAING DENIED message, and as such, gives a misleading 
> notification implying that your server is attempting to send mail through 
> a closed relay.
> 
> I'm not very good at writing snort rules, but is there any way to 
> efectively reverse this, so that the alert reads that a mail message from 
> $EXTERNAL_NET was not relayed through $SMTP_SERVERS
> 
> 

-- 
Frank Barton
Starwolf.biz Systems Administrator






More information about the Snort-users mailing list