[Oisf-users] Mail Attack Rules
Mesra.net CEO
admin at mesra.my
Wed Mar 8 21:08:53 UTC 2017
Dear Leonard,
Thanks for advice, i will change to drop, btw is it possible with suricate to make like this:
reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; content:!"user1 at abcde.com"; content:!"user2 at abcde.com"; sid:51; rev:1;)
That mean suricata will drop any receiving email for abcde.com but exclude user1 at abcde.com and user1 at abcde.com, is that possible ?
Please help, TQ
From: Leonard Jacobs
Sent: Thursday, March 9, 2017 4:35 AM
To: Mesra.net CEO ; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Mail Attack Rules
Why are using the action "reject" in your signature as opposed to "drop". The action "reject" is essentially the same as sending a reset so you are telling the bad guy that you are alive. By using the action "drop", you are just dropping the packets but not giving the other end a response. Maybe they are still hitting you because you are telling them that you are alive.
Leonard Jacobs, MBA, CISSP, CSSA
President/CEO
Netsecuris Inc.
Office 952-641-1421
http://www.netsecuris.com
From: Mesra.net CEO <admin at mesra.my>
To: <oisf-users at lists.openinfosecfoundation.org>
Sent: 3/8/2017 12:59 PM
Subject: [Oisf-users] Mail Attack Rules
Dear All,
Since few days ago my server has been attack and the attacker are sending thousands of emails to invalid email username and its only effected to 1 domain name, currently i have to block more then 10k IPs per day for the issue, with suricata i make the rules like below but that will totally block the access for valid emails, is theres any tips i can make the rules for more flexible for example the suricata only block any access to invalid email from out of the list, for example i will list down all the valid receipent emails and the others will automatically block:
reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;)
Please help, TQ
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170309/b420d694/attachment-0002.html>
More information about the Oisf-users
mailing list