[Snort-users] SMTP Backscatter

waldo kitty wkitty42 at ...14940...
Sun Feb 16 19:35:15 EST 2014


On 2/16/2014 10:40 AM, Jeff Kell wrote:
> On 2/16/2014 10:25 AM, waldo kitty wrote:
>> On 2/16/2014 9:54 AM, Dave Corsello wrote:
>>> Guys, thanks, but I don't need advice on setting up SMTP--at least not
>>> in this situation.  Just looking for an answer to the following:  Can
>>> Snort somehow: 1) detect an outgoing 450 4.1.1 error;
>> yes, it can easily do this...
>>
>>> and in response, 2) block all incoming SMTP traffic from the sender IP for a
>>> period of time?
>> i'm not aware of this ever having been done...
>
> It may have been possible with certain incantations of Snortsam, which
> could block *specific* traffic for certain output plugin modules.

understood...

> Current Snortsam functionality, with plugin support in barnyard2 (no
> more snort source patching) can be used to block the source IP
> (unilaterally).  So you would block the attacking IP across the board of
> protocols/destinations.  We do this on our inbound SMTP (to detect
> spamming / farming) as well as outbound (compromised hosts used to send
> spam).

here's the problem that i see... everything references the *source* IP causing 
the alert... when one is using a rule to detect an internal server's response to 
an external attacker, the internal server is the source of the alert... you 
*don't* want to block that server... instead, you want to block the 
/destination/ IP...

i've never run snortsam because i didn't hear about it until after i had my 
solution in distribution... i have done some research on snortsam but dropped it 
when the snort developers basically made it obsolete... in my researching, i 
don't recall seeing anything where one could block the destination server in a 
situation like this... if this is/was possible, i'd love to know about it :)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list