<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Dear Leonard,</DIV>
<DIV> </DIV>
<DIV>Thanks for advice, i will change to drop, btw is it possible with suricate
to make like this:</DIV>
<DIV> </DIV>
<DIV>reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail
ATTACK *****"; dsize:>0; content:"@abcde.com"; content:!"user1@abcde.com";
content:!"user2@abcde.com"; sid:51; rev:1;)</DIV>
<DIV> </DIV>
<DIV>That mean suricata will drop any receiving email for abcde.com but exclude
<A>user1@abcde.com</A> and user1@abcde.com, is that possible ?</DIV>
<DIV> </DIV>
<DIV>Please help, TQ</DIV>
<DIV> </DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title=ljacobs@netsecuris.com>Leonard Jacobs</A> </DIV>
<DIV><B>Sent:</B> Thursday, March 9, 2017 4:35 AM</DIV>
<DIV><B>To:</B> <A title=admin@mesra.my>Mesra.net CEO</A> ; <A
title=oisf-users@lists.openinfosecfoundation.org>oisf-users@lists.openinfosecfoundation.org</A>
</DIV>
<DIV><B>Subject:</B> Re: [Oisf-users] Mail Attack Rules</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>Why
are using the action "reject" in your signature as opposed to "drop". The
action "reject" is essentially the same as sending a reset so you are telling
the bad guy that you are alive. By using the action "drop", you are just
dropping the packets but not giving the other end a response. Maybe they
are still hitting you because you are telling them that you are
alive.<BR><BR><FONT size=4 face=Arial>Leonard Jacobs, MBA, CISSP,
CSSA<BR></FONT>
<DIV><FONT size=3 face=Arial>President/CEO</FONT></DIV>
<DIV><FONT size=3 face=Arial>Netsecuris Inc.</FONT></DIV>
<DIV><FONT size=3 face=Arial>Office 952-641-1421</FONT></DIV>
<DIV><FONT size=3 face=Arial>http://www.netsecuris.com</FONT></DIV><BR><BR><BR>
<DIV><STRONG>From: </STRONG>Mesra.net CEO <admin@mesra.my> <BR><STRONG>To:
</STRONG><oisf-users@lists.openinfosecfoundation.org> <BR><STRONG>Sent:
</STRONG>3/8/2017 12:59 PM <BR><STRONG>Subject: </STRONG>[Oisf-users] Mail
Attack Rules <BR><BR>
<BLOCKQUOTE class=mori
style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">
<DIV>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Dear All,</DIV>
<DIV> </DIV>
<DIV>Since few days ago my server has been attack and the attacker are sending
thousands of emails to invalid email username and its only effected to 1
domain name, currently i have to block more then 10k IPs per day for the
issue, with suricata i make the rules like below but that will totally block
the access for valid emails, is theres any tips i can make the rules for more
flexible for example the suricata only block any access to invalid email from
out of the list, for example i will list down all the valid receipent emails
and the others will automatically block:</DIV>
<DIV> </DIV>
<DIV>reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com
EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;)</DIV>
<DIV> </DIV>
<DIV>Please help, TQ</DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV><BR><BR>_______________________________________________<BR>Suricata
IDS Users mailing list: oisf-users@openinfosecfoundation.org<BR>Site:
http://suricata-ids.org | Support: http://suricata-ids.org/support/<BR>List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<BR></BLOCKQUOTE></DIV></DIV></DIV></DIV></BODY></HTML>