Snort mailing list archives
Swen.A results with Snort-inline (protocol anomaly detection)
From: pieter claassen <pieter () countersnipe com>
Date: Thu, 25 Sep 2003 21:45:57 +0100
We have had some success with Snort-inline to stop the Swen.A virus from crippling our email system. We managed to reduce the amount of mail entering our environment by more than 90%. However, because we used the "reject" action with TCP resets to both the sending MTA and our MTA, the result was a not very graceful reject of mail and probably some pain for many service providers who had to deal with the backlog in mail delivery that this strategy created (considering that they are the only people who can do something about this, a little bit of pain might not be such a bad idea). http://countersnipe.com/downloads/case_studies/ However, this raised another question. All the snort plugins are focused on detection. In this specific case, it would have been great to have a snort plugin that could partake in the SMTP conversation and bring the line down a little bit more gracefully (eg. remember the message id of offending mail, reset the TCP session when it detects a bad packet and then returning an SMTP 550 message to the relaying MTA on the next connection) This is obviously more focused on IPS than IDS, but it also leads me to think more about protocol anomaly detection. Any work currently happening in understanding application protocols and how to package this in a plugin framework or any chance of extending an existing protocol analysis plugin to include this functionality (conversation?)? Pieter -- pieter claassen <pieter () countersnipe com> ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 25)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 25)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 25)