Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS engines put this together

From: roesch () hiverworld com (Martin Roesch)
Date: Tue, 13 Jun 2000 02:17:13 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Chris Josephes wrote:



Snort rule (one-two punch):

pass tcp !$HOME_NET ant -> $HOME_NET 25 (content: "RCPT TO"; nocase;
content: $HOME_DOMAIN; nocase;)

alert tcp !$HOME_NET any -> $HOME_NET 25 (content: "RCPT TO"; nocase;
msg: "SMTP Relay attempt!";)


This looks like it would be tricky if the mail server(s) handled multiple
domains.

Since the original question only regarding open-relay "probes", what about
capturing the MTA return error:

alert tcp $HOME_NET 25 -> !$HOME_NET any (content: "Relaying
denied"; nocase; msg: "Open Relay probe!";)

It only works if we know the MTA is secure in the first place.


Yep, and Snort already has a rule for this as well.  I was just trying
to write a rule that was triggered by the stimulus instead of the
response.:)  


-- 
Martin Roesch                      <roesch () hiverworld com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management
Previous By Date Next
Previous By Thread Next

Current thread: