alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12;)

Added 2011-10-12 19:09:31 UTC

sid:2000328;Triggers on a client response to the SMTP_SERVERS if the SMTP_SERVERS are not in the HOME_NET. Not sure if that was intent.

-- ChrisNorthrop - 2016-12-07


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; sid:2000328; rev:12;)

Added 2011-09-15 14:46:04 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; sid:2000328; rev:12;)

Added 2011-09-14 20:33:36 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2000328; rev:12;)

Added 2011-02-04 17:21:12 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2000328; rev:11;)

Added 2010-06-28 22:46:59 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid:2000328; rev:11;)

Added 2010-06-28 22:46:59 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2000328; rev:11;)

Added 2009-02-11 19:24:43 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2000328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Unauthorized_SMTP; sid: 2000328; rev:11;)

Added 2009-02-11 19:24:43 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:10;)

Added 2008-01-31 18:48:10 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:10;)

Added 2008-01-31 18:48:10 UTC


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:9;)

Added 2007-03-12 18:11:47 UTC

added flow, thanks joel

-- MattJonkman - 12 Mar 2007


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:8;)

Added 2007-03-12 11:00:34 UTC

I added the content:"mail from\:"; nocase; in place of flags S,12. Hopefully this will make the sig more meaningful. It'll only trip is mail is actually passing or being reasonably attempted.

-- MattJonkman - 12 Mar 2007


alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:7;)



Topic revision: r3 - 2016-12-07 - ChrisNorthrop
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats