Intrusion Detection Systems mailing list archives
Re: IDS engines put this together
From: roesch () hiverworld com (Martin Roesch)
Date: Mon, 12 Jun 2000 12:21:32 -0700
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au Snort rule (one-two punch): pass tcp !$HOME_NET ant -> $HOME_NET 25 (content: "RCPT TO"; nocase; content: $HOME_DOMAIN; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 25 (content: "RCPT TO"; nocase; msg: "SMTP Relay attempt!";) Run it with the -o switch so the rules are applied in the right order. Hmm, I think we need to implement a negation indicator for the content keyword, if it existed this would be much easier to write as: alert tcp !$HOME_NET any -> $HOME_NET 25 (content: "RCPT TO"; nocase; content: !$HOME_DOMAIN; nocase; msg: "SMTP Relay attempt!";) -Marty Lance Spitzner wrote:
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owner () uow edu au NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au ----------------------------------------------------------------------------- Today one of my honeypots was probed for spam relay. Do IDS engines have the 'intelligence' to put this session together and realize the remote system is probing for spam relay sites? Signature is below. My domain name has been sanitized, but all other information is valid. 220 mail.example.com. Sendmail SMI-8.6/SMI-SVR4 ready at Sun, 11 Jun 2000 11:27:42 -0500 HELO MAIL.EXAMPLE.COM 250 mail.example.com. Hello [211.54.114.180], pleased to meet you MAIL FROM:<woqjffirst_at_yahoo.com () MAIL EXAMPLE COM> 250 <woqjffirst_at_yahoo.com () MAIL EXAMPLE COM>... Sender ok RCPT TO:<woqjffirst () yahoo com> 250 <woqjffirst () yahoo com>... Recipient ok DATA 354 Enter mail, end with "." on a line by itself qjffirst () yahoo com From: woqjffirst () yahoo com (Spade relay check) Subject: MAIL.EXAMPLE.COM relay check . 250 LAA14291 Message accepted for delivery QUIT 221 mail.example.com. closing connection Lance Spitzner http://www.enteract.com/~lspitz/papers.html
-- Martin Roesch <roesch () hiverworld com> Director of Forensic Systems http://www.hiverworld.com Hiverworld, Inc. Continuous Adaptive Risk Management
Current thread:
- IDS engines put this together Lance Spitzner (Jun 11)
- RE: IDS engines put this together Bill Royds (Jun 11)
- connection request to port 25 SHAIFUL HASHIM (Jun 12)
- Re: connection request to port 25 Carric Dooley (Jun 12)
- Does anyone know if there is a firewall in the market that does not filter out ip packets with source route option filled in. Akshay Kumar Sreeramoju (Jun 12)
- Re: connection request to port 25 Joe Dauncey (Jun 18)
- Re: IDS engines put this together Greg Shipley (Jun 12)
- port 25 Tim Slighter (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 12)
- <Possible follow-ups>
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Marcus J. Ranum (Jun 12)
- Re: IDS engines put this together Martin Roesch (Jun 13)
- Re: IDS engines put this together Mark.Teicher () predictive com (Jun 13)
- Re: IDS engines put this together Andy Bradford (Jun 13)