OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: IDS engines put this together
From: Martin Roesch (roeschhiverworld.com)
Date: Tue Jun 13 2000 - 04:17:13 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Chris Josephes wrote:
>
> > Snort rule (one-two punch):
> >
> > pass tcp !$HOME_NET ant -> $HOME_NET 25 (content: "RCPT TO"; nocase;
> > content: $HOME_DOMAIN; nocase;)
> >
> > alert tcp !$HOME_NET any -> $HOME_NET 25 (content: "RCPT TO"; nocase;
> > msg: "SMTP Relay attempt!";)
>
> This looks like it would be tricky if the mail server(s) handled multiple
> domains.
>
> Since the original question only regarding open-relay "probes", what about
> capturing the MTA return error:
>
> alert tcp $HOME_NET 25 -> !$HOME_NET any (content: "Relaying
> denied"; nocase; msg: "Open Relay probe!";)
>
> It only works if we know the MTA is secure in the first place.

Yep, and Snort already has a rule for this as well. I was just trying
to write a rule that was triggered by the stimulus instead of the
response. :) 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management