Network Security: Detailed info on RE: [Snort-sigs] http post on port 25

Subject:	RE: [Snort-sigs] http post on port 25
Date:	Tue, 8 Feb 2005 14:56:59 -0500

I would bet I know what this is.  A spammer has found an open http proxy
server.  He is "requesting" the "document" located at
http://your.mail.server:25/ from that http proxy server, and part of the
POST operation just happens to be very similar to an SMTP conversation.

Probably handy to know about, if for no other reason than to build up a list
of open proxy servers out there.

-Joe

-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net]On Behalf Of hans
Sent: Tuesday, February 08, 2005 11:42 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] http post on port 25

hi all

this days i noticed some strange dialogs on smtp port 25
hosts around the world are trying to setup a dialog
immediatly after the SYN - SYN ACK - ACK frames
with the following content:
 POST / HTTP/1.1
 Host: my.hostname.com:25
 Content-Type: text/plain
 ... and so on

o.k. - i am not crazy, i really speak about e-mail, and
this is not the content of the message body, it's the tcp-flow
later in the dialog there is a rset, but game over
with sendmail and greeting feature.

there are some additional infos, like a tcpdump and a rule for
snort, to find at  http://ma.yer.at/2005/smtp_post.html

i would be interested, if you could also notice such traffic.
i can't belive, are there any mail-gateways, which respond to
http-post-commands on port 25 ?

here the rule, which does the job for me perfectly:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP POST";
flow:to_server,established; content:"post"; nocase; content:"/";
nocase; pcre:"/^post\s+\/\s+http\/1.1/smi";
classtype:attempted-recon; sid:050201; rev:10;)

i am new to snort, so i don't know if this rule is correct,
for example, i don't know where to get a correct sid, i took
the current date.
what i did, i took an other smtp-rule and did modify the content.

best regards
hans

p.s.: i hope this is the correct forum, or should i post
      in the Snort-users list ?

--

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False positive with Nagios check_http, Carsten Schmitz Re: [Snort-sigs] False positive with Nagios check_http, Frank Knobbe [Snort-sigs] http post on port 25, hans RE: [Snort-sigs] http post on port 25, Joe Patterson <= Re: [Snort-sigs] http post on port 25, hans RE: [Snort-sigs] http post on port 25, Joe Patterson Re: [Snort-sigs] http post on port 25, hans

Previous by Date:	[Snort-sigs] WINS Rule Testing Requested, Alex Kirk
Next by Date:	Re: [Snort-sigs] http post on port 25, hans
Previous by Thread:	[Snort-sigs] http post on port 25, hans
Next by Thread:	Re: [Snort-sigs] http post on port 25, hans
Indexes:	[Date] [Thread] [Top] [All Lists]