Snort mailing list archives
Re: Using resp against a virus
From: Bennett Todd <bet () rahul net>
Date: Wed, 10 Jul 2002 11:10:23 -0400
2002-07-09-17:39:01 Jeremy:
I was just curious if resp could be used to reset the connection when an email virus matches a rule.
It could, but I doubt it'll do what you want.
For example we get tons of Klez matches on our external snort box and I was wondering if we could use resp to reset the connection before it hits the smtp server.
Nope. Not "before". Only "as soon as". An IDS monitors traffic as it goes past. By the time a Klez signature (or any other email virus/worm sig) hits an IDS, there has been a fairly protracted dialogue, something like client:tcp/???? SYN -> server:tcp/25 server:tcp/25 SYN|ACK -> client:tcp/???? client:tcp/???? ACK -> server:tcp/25 server:tcp/25 220 Howdy -> client:tcp/???? client:tcp/???? HELO ... -> server:tcp/25 server:tcp/25 250 ... -> client:tcp/??? and so forth through the MAIL FROM, RCPT TO, and DATA exchanges; then the client has sent the email header, and whatever of the body preceeds the point where the signature matched. If snort (or any other IDS, this limit applies to anything except an SMTP proxy) sent an RST back at the client, the server would hang until it timed out; that'd be substantially more expensive than just completing the SMTP dialogue and processing the message, for any high-performance MTA. High-performance MTAs don't like to wait around:-). Now I suppose it's possible that if you use flexresp's rst_rcv (or rst_all) so that the mail server got a reset, it might see the close on the socket without having to timeout, and since it hasn't seen the "." at the end of the body it might then quickly discard the message. I'd be nervous about doing this on a high-volume server, though; whenever you turn over a new network traffic pattern, you uncover crawly bugs all scurrying all over, from the application, down through system libraries, into the network stack, and sometimes even back up in other apparently unrelated areas like schedulers and whatnot. I'd not be especially optimistic that a high-performance email server would remain stable if you began forging a storm of RSTs closing some of its connections mid-message. If you really want to pursue this, note that rst_rcv is what you're really looking at, and take this description to the support list for your MTA, and perhaps to the support list for your OS as well --- this could turn up nasty things in either place. -Bennett
Attachment:
_bin
Description:
Current thread:
- Using resp against a virus Jeremy (Jul 09)
- Re: Using resp against a virus Michael Boman (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus -> LaBrea plugin? Frank Knobbe (Jul 09)
- Re: Using resp against a virus Jeff Kell (Jul 09)
- Re: Using resp against a virus Bennett Todd (Jul 10)
- Re: Using resp against a virus Michael Boman (Jul 09)