Outbound Multiple Non-SMTP Server Emails

Looking for some information on the rule below. I'm not
exactly sure what
it is looking for, but it seems to me that anything in
SMTP_SERVES to
everything but HOME_NET with the syn flag set to a
destination on port 25
will trigger this, it that correct? I am receiving a lot of
noise form
this, but looking at the packet information, there's
nothing there. I'm
really concerned with this type of alert because some of our
exchange
servers are sending tcp syn's to destinations they should
not send to,
i.e. other countries. Can I get some clarification on this
specific rule?
I can't understand why an exchange server would send this
type of data
unless it is also sending emails as well.


#You MUST add the SMTP_SERVERS var to your snort.conf!!!!
alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:
"BLEEDING-EDGE POLICY
Outbound Multiple Non-SMTP Server Emails"; flags:
S,12; threshold: type
threshold, track by_src,count 10, seconds 120; classtype:
misc-activity;
sid: 2000328; rev:7;)

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

This isn't one to panic over if it's from a known mail
server.

Set the SMTP_SERVERS var to your known mail server IPs.
That'll knock
this out.

What the sig is looking for are bots and the like on your
internal net
pumping out spam. Thats often the first thing a lot of the
bots do once
they infect.

That help?

Matt

Ray H. wrote:
> Looking for some information on the rule below. I'm
not exactly sure what
> it is looking for, but it seems to me that anything in
SMTP_SERVES to
> everything but HOME_NET with the syn flag set to a
destination on port 25
> will trigger this, it that correct? I am receiving a
lot of noise form
> this, but looking at the packet information, there's
nothing there. I'm
> really concerned with this type of alert because some
of our exchange
> servers are sending tcp syn's to destinations they
should not send to,
> i.e. other countries. Can I get some clarification on
this specific rule?
> I can't understand why an exchange server would send
this type of data
> unless it is also sending emails as well.
> 
> 
> #You MUST add the SMTP_SERVERS var to your
snort.conf!!!!
> alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:
"BLEEDING-EDGE POLICY
> Outbound Multiple Non-SMTP Server Emails"; flags:
S,12; threshold: type
> threshold, track by_src,count 10, seconds 120;
classtype: misc-activity;
> sid: 2000328; rev:7;)
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs