[Oisf-users] Mail Attack Rules

Andreas Herz andi at geekosphere.org
Sun Mar 12 20:02:54 UTC 2017

On 09/03/17 at 05:08, Mesra.net CEO wrote:
> reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com
> EMail ATTACK *****"; dsize:>0; content:"@abcde.com";
> content:!"user1 at abcde.com"; content:!"user2 at abcde.com"; sid:51;
> rev:1;)
> That mean suricata will drop any receiving email for abcde.com but
> exclude user1 at abcde.com and user1 at abcde.com, is that possible ?

yes you can exlude content with !

But you said you have a range of IPs you want to block, if they won't
send valid mails wouldn't it be easier to block a list of IPs?

Andreas Herz

More information about the Oisf-users mailing list