[Oisf-users] Mail Attack Rules

Mesra.net CEO admin at mesra.my
Wed Mar 8 21:08:53 UTC 2017

Dear Leonard,

Thanks for advice, i will change to drop, btw is it possible with suricate to make like this:

reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; content:!"user1 at abcde.com"; content:!"user2 at abcde.com"; sid:51; rev:1;)

That mean suricata will drop any receiving email for abcde.com but exclude user1 at abcde.com and user1 at abcde.com, is that possible ?

Please help, TQ

From: Leonard Jacobs 
Sent: Thursday, March 9, 2017 4:35 AM
To: Mesra.net CEO ; oisf-users at lists.openinfosecfoundation.org 
Subject: Re: [Oisf-users] Mail Attack Rules

Why are using the action "reject" in your signature as opposed to "drop".  The action "reject" is essentially the same as sending a reset so you are telling the bad guy that you are alive.  By using the action "drop", you are just dropping the packets but not giving the other end a response.  Maybe they are still hitting you because you are telling them that you are alive.

Leonard Jacobs, MBA, CISSP, CSSA

Netsecuris Inc.
Office 952-641-1421

From: Mesra.net CEO <admin at mesra.my> 
To: <oisf-users at lists.openinfosecfoundation.org> 
Sent: 3/8/2017 12:59 PM 
Subject: [Oisf-users] Mail Attack Rules 

  Dear All,

  Since few days ago my server has been attack and the attacker are sending thousands of emails to invalid email username and its only effected to 1 domain name, currently i  have to block more then 10k IPs per day for the issue, with suricata i make the rules like below but that will totally block the access for valid emails, is theres any tips i can make the rules for more flexible for example the suricata only block any access to invalid email from out of the list, for example i will list down all the valid receipent emails and the others will automatically block:

  reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com EMail ATTACK *****"; dsize:>0; content:"@abcde.com"; sid:51; rev:1;)

  Please help, TQ

  Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
  Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
  List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170309/b420d694/attachment-0002.html>

More information about the Oisf-users mailing list