Snort mailing list archives
Re: Multiple Content (not working?)
From: "F.M. Taylor" <root () uranium indstate edu>
Date: Wed, 15 May 2002 15:09:07 -0500 (EST)
Another thing that should be considered. <voice of experience> Even when FlexResp is working properly against an SMTP server all it does is drop the connection at which time the MTA on their end simply tries again, eating up your CPU and bandwidth. You are only delaying the inevitable. </voe> On Wed, 15 May 2002, Matt Kettler wrote:
Hmm, as a bit of a side note, this sounds more like a job better fixed by configuring your mailserver's access rules or using procmail than using snort. Also of note, Flexresp is *NOT* a sure thing and you should NEVER count on it as a primary line of preventing a known attack. EVER. No, really, if you're relying on flexresp to stop traffic you don't want you're going to have it fail sooner or later. It's more of a last-ditch effort to stop an attack that you did not know was possible on your network. It only really has a chance of working due to network latencies, and a deliberate attacker can fire off a second packet right behind the offending one to advance the sequence number and likely do so before snort can respond. At any rate, given normal SMTP transactions the from and to lines are not likely to be in the same TCP segment, since the server has to reply after the "MAIL FROM" command and the "RCPT TO" command. Hence your pass rule will not likely ever trigger in reality, unless the person delivering mail to your server is not SMTP compliant and is just firing off commands without waiting for acknowledgement from the server. At 05:26 AM 5/15/2002 -0300, you wrote:Hello, I'm with some problems here while trying to configure multiple content options to a rule. I need to block a unique e-mail address to send messages to all my users, but this messages can be posted to me. well... I've tried two rules: pass tcp $SMTPX any -> $MYSMTP 25 (content:"that () email com";nocase;content:"my () email com";n ocase;) alert tcp $SMTPX any -> $MYSMTP 25 (content:"that () email com";nocase;resp:rst_all;) May anyone help me to this work? plz! I've lost some nights trying to figure out what's wrong. Thanks in advance. Best Regards __________________ Carlos Kumbak ckumbak () bol com br __________________________________________________________________________ Quer ter seu pr?prio endere?o na Internet? Garanta j? o seu e ainda ganhe cinco e-mails personalizados. Dom?niosBOL - http://dominios.bol.com.br _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Mike Taylor Coordinator of Systems Administration and Network Security Indiana State University. Rankin Hall Rm 053 210 N 7th St. Terre Haute, IN. SANS GSEC http://www.sans.org/ _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple Content (not working?) Carlos Kumbak (May 15)
- Re: Multiple Content (not working?) skill 's (May 15)
- Re: Multiple Content (not working?) Matt Kettler (May 15)
- Re: Multiple Content (not working?) F.M. Taylor (May 15)
- <Possible follow-ups>
- Re: Multiple Content (not working?) Carlos Kumbak (May 16)
- Re: Multiple Content (not working?) F.M. Taylor (May 17)