[Snort-users] SMTP Backscatter
wkitty42 at ...14940...
Sun Feb 16 19:35:15 EST 2014
On 2/16/2014 10:40 AM, Jeff Kell wrote:
> On 2/16/2014 10:25 AM, waldo kitty wrote:
>> On 2/16/2014 9:54 AM, Dave Corsello wrote:
>>> Guys, thanks, but I don't need advice on setting up SMTP--at least not
>>> in this situation. Just looking for an answer to the following: Can
>>> Snort somehow: 1) detect an outgoing 450 4.1.1 error;
>> yes, it can easily do this...
>>> and in response, 2) block all incoming SMTP traffic from the sender IP for a
>>> period of time?
>> i'm not aware of this ever having been done...
> It may have been possible with certain incantations of Snortsam, which
> could block *specific* traffic for certain output plugin modules.
> Current Snortsam functionality, with plugin support in barnyard2 (no
> more snort source patching) can be used to block the source IP
> (unilaterally). So you would block the attacking IP across the board of
> protocols/destinations. We do this on our inbound SMTP (to detect
> spamming / farming) as well as outbound (compromised hosts used to send
here's the problem that i see... everything references the *source* IP causing
the alert... when one is using a rule to detect an internal server's response to
an external attacker, the internal server is the source of the alert... you
*don't* want to block that server... instead, you want to block the
i've never run snortsam because i didn't hear about it until after i had my
solution in distribution... i have done some research on snortsam but dropped it
when the snort developers basically made it obsolete... in my researching, i
don't recall seeing anything where one could block the destination server in a
situation like this... if this is/was possible, i'd love to know about it :)
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users