[Oisf-users] Mail Attack Rules

Leonard Jacobs ljacobs at netsecuris.com
Wed Mar 8 20:35:41 UTC 2017

Why are using the action "reject" in your signature as opposed to "drop".  The action "reject" is essentially the same as sending a reset so you are telling the bad guy that you are alive.  By using the action "drop", you are just dropping the packets but not giving the other end a response.  Maybe they are still hitting you because you are telling them that you are alive.

Leonard Jacobs, MBA, CISSP, CSSA

Netsecuris Inc.
Office 952-641-1421

 From:   Mesra.net CEO <admin at mesra.my> 
 To:   <oisf-users at lists.openinfosecfoundation.org> 
 Sent:   3/8/2017 12:59 PM 
 Subject:   [Oisf-users] Mail Attack Rules 

Dear All, 
Since few days ago my server has been attack and the attacker are sending  thousands of emails to invalid email username and its only effected to 1 domain  name, currently i  have to block more then 10k IPs per day for the issue,  with suricata i make the rules like below but that will totally block the access  for valid emails, is theres any tips i can make the rules for more flexible for  example the suricata only block any access to invalid email from out of the  list, for example i will list down all the valid receipent emails and the others  will automatically block: 
reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail  ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;) 
Please help, TQ 

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170308/eea58073/attachment-0002.html>

More information about the Oisf-users mailing list