Snort mailing list archives
Re: SMTP Backscatter
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 16 Feb 2014 19:35:15 -0500
On 2/16/2014 10:40 AM, Jeff Kell wrote:
On 2/16/2014 10:25 AM, waldo kitty wrote:On 2/16/2014 9:54 AM, Dave Corsello wrote:Guys, thanks, but I don't need advice on setting up SMTP--at least not in this situation. Just looking for an answer to the following: Can Snort somehow: 1) detect an outgoing 450 4.1.1 error;yes, it can easily do this...and in response, 2) block all incoming SMTP traffic from the sender IP for a period of time?i'm not aware of this ever having been done...It may have been possible with certain incantations of Snortsam, which could block *specific* traffic for certain output plugin modules.
understood...
Current Snortsam functionality, with plugin support in barnyard2 (no more snort source patching) can be used to block the source IP (unilaterally). So you would block the attacking IP across the board of protocols/destinations. We do this on our inbound SMTP (to detect spamming / farming) as well as outbound (compromised hosts used to send spam).
here's the problem that i see... everything references the *source* IP causing the alert... when one is using a rule to detect an internal server's response to an external attacker, the internal server is the source of the alert... you *don't* want to block that server... instead, you want to block the /destination/ IP... i've never run snortsam because i didn't hear about it until after i had my solution in distribution... i have done some research on snortsam but dropped it when the snort developers basically made it obsolete... in my researching, i don't recall seeing anything where one could block the destination server in a situation like this... if this is/was possible, i'd love to know about it :) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SMTP Backscatter Dave Corsello (Feb 14)
- Re: SMTP Backscatter Jason Haar (Feb 15)
- Re: SMTP Backscatter waldo kitty (Feb 15)
- Re: SMTP Backscatter Dave Corsello (Feb 16)
- Re: SMTP Backscatter waldo kitty (Feb 16)
- Re: SMTP Backscatter Jeff Kell (Feb 16)
- Re: SMTP Backscatter waldo kitty (Feb 16)
- Message not available
- Message not available
- Re: SMTP Backscatter Dave Corsello (Feb 18)
- Re: SMTP Backscatter waldo kitty (Feb 18)
- Re: SMTP Backscatter waldo kitty (Feb 15)
- Re: SMTP Backscatter Jason Haar (Feb 15)