[Snort-users] Swen.A results with Snort-inline (protocol anomaly detection)

pieter claassen pieter at ...9950...
Thu Sep 25 13:47:07 EDT 2003


We have had some success with Snort-inline to stop the Swen.A virus from
crippling our email system. We managed to reduce the amount of mail
entering our environment by more than 90%.

However, because we used the "reject" action with TCP resets to both the
sending MTA and our MTA, the result was a not very graceful reject of
mail and probably some pain for many service providers who had to deal
with the backlog in mail delivery that this strategy created
(considering that they are the only people who can do something about
this, a little bit of pain might not be such a bad idea).

http://countersnipe.com/downloads/case_studies/

However, this raised another question. All the snort plugins are focused
on detection. In this specific case, it would have been great to have a
snort plugin that could partake in the SMTP conversation and bring the
line down a little bit more gracefully (eg. remember the message id of
offending mail, reset the TCP session when it detects a bad packet and
then returning an SMTP 550 message to the relaying MTA on the next
connection)

This is obviously more focused on IPS than IDS, but it also leads me to
think more about protocol anomaly detection. Any work currently
happening in understanding application protocols and how to package this
in a plugin framework or any chance of extending an existing protocol
analysis plugin to include this functionality (conversation?)?

Pieter

-- 
pieter claassen <pieter at ...9950...>





More information about the Snort-users mailing list