[Oisf-users] Mail Attack Rules
Andreas Herz
andi at geekosphere.org
Sun Mar 12 20:02:54 UTC 2017
On 09/03/17 at 05:08, Mesra.net CEO wrote:
> reject tcp any any -> any [25,587,465] (msg:"***** BLOCK ABCDE.com
> EMail ATTACK *****"; dsize:>0; content:"@abcde.com";
> content:!"user1 at abcde.com"; content:!"user2 at abcde.com"; sid:51;
> rev:1;)
>
> That mean suricata will drop any receiving email for abcde.com but
> exclude user1 at abcde.com and user1 at abcde.com, is that possible ?
yes you can exlude content with !
But you said you have a range of IPs you want to block, if they won't
send valid mails wouldn't it be easier to block a list of IPs?
--
Andreas Herz
More information about the Oisf-users
mailing list