[Oisf-users] Problem to Start Suricata

Jason Williams jwilliams at emergingthreats.net
Fri Jul 14 00:39:52 UTC 2017


Hello,

For your rule, please try the following:

alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"*** WARNING!!!
WARNING!!! SUSPECT SPAMMER!!! ***"; flow:to_server,established;
content:"Subject|3a 20|"; nocase; content:"sexiest"; nocase; within:200;
fast_pattern; sid:6677666667 <(667)%20766-6667>; rev:1;)

If this does not work, I would be happy to take a look at a packet capture
and help further.

Thanks,

Jason

On Thu, Jul 13, 2017 at 7:10 PM, Mesra.net CEO <admin at mesra.my> wrote:

> Dear Sir,
>
> Let me explain about the rule, actually i try to detect if any of my
> client email been defaced and spammer will send out thousand of email out
> from my network to anybody email, i try with the rules and trying to send
> out with message and subject 'sexiest' but on fast.log doesnt show up
> anything related to the rule
>
> Please help. TQ so much
>
>
> -----Original Message----- From: rmkml
> Sent: Friday, July 14, 2017 7:44 AM
> To: Mesra.net CEO
> Cc: oisf-users at lists.openinfosecfoundation.org ; rmkml at ligfy.org
> Subject: Re: [Oisf-users] Problem to Start Suricata
>
>
> Hi Mesra,
>
> yes you have switched dest_ip (any) and dest_port ([25,587,465]), please
> try this (not tested):
>
>  alert tcp $HOME_NET any -> any [25,587,465] (msg:"*** WARNING!!!
> WARNING!!! SUSPECT SPAMMER!!! ***"; dsize:>0; content:"sexiest";
> sid:6677666667; rev:1;)
>
> Best Regards
> @Rmkml
>
>
> On Fri, 14 Jul 2017, Mesra.net CEO wrote:
>
> Dear All,
>>
>> I have problem on Suricata as below:
>>
>> 14/7/2017 -- 07:32:44 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)]
>> - failed to parse address "25"
>> 14/7/2017 -- 07:32:44 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
>> - error parsing signature "alert tcp $HOME_NET any -> [25,587,465] any
>> (msg:"*** WARNING!!! WARNING!!! SUSPECT SPAMMER!!! ***"; dsize:>0;
>> content:"sexiest"; sid:6677666667; rev:1;)" from file
>> /etc/suricata/rules/custom.rules at line 46
>>
>> Is thres any problem with my rule:
>>
>> alert tcp $HOME_NET any -> [25,587,465] any (msg:"*** WARNING!!!
>> WARNING!!! SUSPECT SPAMMER!!! ***"; dsize:>0; content:"sexiest"; sid:
>> 6677666667; rev:1;)" from file /etc/suricata/rules/custom.rules at line
>> 46
>>
>> Please advice. TQ so much
>>
>>
>>
>>
>> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170713/a31675b1/attachment-0002.html>


More information about the Oisf-users mailing list