[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Outbound Multiple Non-SMTP Server Emails
From: Matt Jonkman <mjonkman () infotex ! com>
Date: 2006-07-13 3:21:55
Message-ID: 44B5BC53.7090506 () infotex ! com
[Download RAW message or body]
Ray H. wrote:
> It does help a bit, on why the rule was created. But when I looked at
> the payload, there was none.
That's a result of the type of match. If snort doesn't have to dip into
the payload to make a match it doesn't putput the payload with standard
output plugins.
If you're using the unified output plugins then you could specify a tag
to capture more of the session.
To me it seemed like only part of a
> conversation between our exchange servers and numerous other mail
> servers all over the world. It bothers me that this traffic is coming
> from our exchange servers.
This isn't bad traffic. This sig is designed to catch mail being sent by
hosts that should normally never send mail directly out to the internet.
If you define the SMTP_SERVERS var as your exchange and such things will
be good.
> Tomorrow with our server’s admin permission, I want to run ethereal on
> it for awhile to establish a baseline and then tweak some filters.
>
>
>
> Does anybody have a suggested solution to diagnose this issue of traffic
> from our exchange servers to other mail servers on the internet?
>
Ethereal is a good start, but this sig isn't telling you there's a problem.
Matt
>
>
> Thanks for responding Matt, it’s good to know my first post to a mailing
> list got a response so quickly.
>
>
>
> -----Original Message-----
> From: Matt Jonkman [mailto:mjonkman@infotex.com]
> Sent: Wednesday, July 12, 2006 4:45 PM
> To: snort@melray.us
> Cc: bleeding-sigs@bleedingsnort.com
> Subject: Re: [Bleeding-sigs] Outbound Multiple Non-SMTP Server Emails
>
>
>
> This isn't one to panic over if it's from a known mail server.
>
>
>
> Set the SMTP_SERVERS var to your known mail server IPs. That'll knock
>
> this out.
>
>
>
> What the sig is looking for are bots and the like on your internal net
>
> pumping out spam. Thats often the first thing a lot of the bots do once
>
> they infect.
>
>
>
> That help?
>
>
>
> Matt
>
>
>
> Ray H. wrote:
>
>> Looking for some information on the rule below. I'm not exactly sure what
>
>> it is looking for, but it seems to me that anything in SMTP_SERVES to
>
>> everything but HOME_NET with the syn flag set to a destination on port 25
>
>> will trigger this, it that correct? I am receiving a lot of noise form
>
>> this, but looking at the packet information, there's nothing there. I'm
>
>> really concerned with this type of alert because some of our exchange
>
>> servers are sending tcp syn's to destinations they should not send to,
>
>> i.e. other countries. Can I get some clarification on this specific rule?
>
>> I can't understand why an exchange server would send this type of data
>
>> unless it is also sending emails as well.
>
>>
>
>>
>
>> #You MUST add the SMTP_SERVERS var to your snort.conf!!!!
>
>> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY
>
>> Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type
>
>> threshold, track by_src,count 10, seconds 120; classtype: misc-activity;
>
>> sid: 2000328; rev:7;)
>
>>
>
>> _______________________________________________
>
>> Bleeding-sigs mailing list
>
>> Bleeding-sigs@bleedingsnort.com
>
>> http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
>
>
>
> --
>
> --------------------------------------------
>
> Matthew Jonkman, CISSP
>
> Senior Security Engineer
>
> Infotex
>
> 765-429-0398 Direct Anytime
>
> 765-448-6847 Office
>
> 866-679-5177 24x7 NOC
>
> http://my.infotex.com
>
> http://www.infotex.com
>
> http://www.bleedingsnort.com
>
> --------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic