[Oisf-users] Mail Attack Rules
Leonard Jacobs
ljacobs at netsecuris.com
Wed Mar 8 20:35:41 UTC 2017
Why are using the action "reject" in your signature as opposed to "drop". The action "reject" is essentially the same as sending a reset so you are telling the bad guy that you are alive. By using the action "drop", you are just dropping the packets but not giving the other end a response. Maybe they are still hitting you because you are telling them that you are alive.
Leonard Jacobs, MBA, CISSP, CSSA
President/CEO
Netsecuris Inc.
Office 952-641-1421
http://www.netsecuris.com
From: Mesra.net CEO <admin at mesra.my>
To: <oisf-users at lists.openinfosecfoundation.org>
Sent: 3/8/2017 12:59 PM
Subject: [Oisf-users] Mail Attack Rules
Dear All,
Since few days ago my server has been attack and the attacker are sending thousands of emails to invalid email username and its only effected to 1 domain name, currently i have to block more then 10k IPs per day for the issue, with suricata i make the rules like below but that will totally block the access for valid emails, is theres any tips i can make the rules for more flexible for example the suricata only block any access to invalid email from out of the list, for example i will list down all the valid receipent emails and the others will automatically block:
reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;)
Please help, TQ
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170308/eea58073/attachment-0002.html>
More information about the Oisf-users
mailing list