[Snort-users] SMTP Relaying bug

L. Christopher Luther CLuther at ...6333...
Tue Jan 14 14:21:03 EST 2003


Weakness or not, this is open source after all.  

[...snip...] but is there any way to 
> efectively reverse this, so that the alert reads that a mail message from 
> $EXTERNAL_NET was not relayed through $SMTP_SERVERS

You can change the rule message text to your hearts desire, but Snort will
continue to show "source_ip:port -> dest_ip:port" (i.e., $SMTP:25 ->
$EXTERNAL_NET:ANY) in its alert text.  

You've got the source code, why not whetever make changes you desire?  

Cheers!  :) 

-----Original Message-----
From: Pauling [mailto:pauling at ...7196...]
Sent: Tuesday, January 14, 2003 5:03 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: RE: [Snort-users] SMTP Relaying bug


That's exactly my point, However I feel that the rule itself is confusing, 
becuase when looking at the syslog style log messages, you get (Your IP 
address) -> (adress of attempted relay tester) SMTP Relaying denied.

To me it seems that the snort rules language exibits a weakness here, 
simply by being able to determine which way the "550 5.7.1" goes, rather 
than showing that the blocked message come to your system.


On Tue, 14 Jan 2003, L. Christopher Luther wrote:

> 
> If you're talking about the following rule:  
> 
> alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying
denied";
> flags:A+; content: "550 5.7.1"; depth:70;
> reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
> classtype:misc-activity; sid:567; rev:8;)
> 
> then what you have is a rule that traps when *your* mail server responds
> from its own TCP port 25 to any outside network on any port, and the
> response contains the text "550 5.7.1".  This implies that someone outside
> your network attempted to use your SMTP server as a relay point and your
> server denied the relay attempt, not that your server is attempting to
send
> mail through a closed relay.  That rule would be something like:  
> 
> alert tcp $EXTERNAL_NET 25 -> $SMTP any (msg:"POLICY SMTP relaying
denied";
> flags:A+; content: "550 5.7.1"; depth:70;
> reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249;
> classtype:misc-activity; sid:567; rev:8;)  
> 
> Hope this helps.  
> 
> Christopher
> 
> -----Original Message-----
> Date: Tue, 14 Jan 2003 12:22:36 -0500 (EST)
> From: Pauling <pauling at ...7196...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] SMTP Relaying bug
> 
> Has anybody noticed this, that the Alert for an SMTP relay attack monitors

> the 550 RELAING DENIED message, and as such, gives a misleading 
> notification implying that your server is attempting to send mail through 
> a closed relay.
> 
> I'm not very good at writing snort rules, but is there any way to 
> efectively reverse this, so that the alert reads that a mail message from 
> $EXTERNAL_NET was not relayed through $SMTP_SERVERS
> 
> 

-- 
Frank Barton
Starwolf.biz Systems Administrator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030114/f474e940/attachment.html>


More information about the Snort-users mailing list