Re: SMTP Backscatter

[waldo kitty <wkitty42 () windstream net>]

On 2/16/2014 10:40 AM, Jeff Kell wrote:
> On 2/16/2014 10:25 AM, waldo kitty wrote:
> > On 2/16/2014 9:54 AM, Dave Corsello wrote:
> > > Guys, thanks, but I don't need advice on setting up SMTP--at least not
> > > in this situation.  Just looking for an answer to the following:  Can
> > > Snort somehow: 1) detect an outgoing 450 4.1.1 error;
> > yes, it can easily do this...
> >
> > > and in response, 2) block all incoming SMTP traffic from the sender IP for a
> > > period of time?
> > i'm not aware of this ever having been done...
>
> It may have been possible with certain incantations of Snortsam, which
> could block *specific* traffic for certain output plugin modules.

understood...

> Current Snortsam functionality, with plugin support in barnyard2 (no
> more snort source patching) can be used to block the source IP
> (unilaterally).  So you would block the attacking IP across the board of
> protocols/destinations.  We do this on our inbound SMTP (to detect
> spamming / farming) as well as outbound (compromised hosts used to send
> spam).

here's the problem that i see... everything references the *source* IP causing 
the alert... when one is using a rule to detect an internal server's response to 
an external attacker, the internal server is the source of the alert... you 
*don't* want to block that server... instead, you want to block the 
/destination/ IP...

i've never run snortsam because i didn't hear about it until after i had my 
solution in distribution... i have done some research on snortsam but dropped it 
when the snort developers basically made it obsolete... in my researching, i 
don't recall seeing anything where one could block the destination server in a 
situation like this... if this is/was possible, i'd love to know about it :)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!