Custom Sig needed to count port 25 traffic

j.karom · ‎03-18-2004

Looking at creating a custom sig to count the SMTP traffic on port 25, both incoming and outgoing.

Need some hard numbers for the bean counters.

Have an IDS 4210 and I tried capturing our domain name using a bunch of methods. I got numbers, but they were all over the place. I just want the sig to fire an informational alert each time a SMTP message is sent or received on port 25.

Counters on our mail server won't due the trick, since bugs, spam, etc are blocked before they get there.

I want to see the raw numbers (count) of SMTP (port 25) traffic before any filtering, blocking, etc is done.

Any help would be appreciated.

a.arndt · ‎03-18-2004

One possible solution would involve using two alarms; one for inbound and one for outbound SMTP traffic. Advantage here is the granularity you'll get since you'll actually be able to provide not only overall statistics (the two added together) but also the numbers for each direction.

Here's what I suggest:

Custom Sig 1 (Inbound SMTP)

TCP.ATOMIC

SRC PORT = 25

TCP FLAGS = SYN,ACK = True; all other flags = False

SRC ADDRESS = IP of SMTP server(s)

Severity = Informational

Default Alert Behavior = Alert Each Time

Custom Sig 2 (Outbound SMTP)

TCP.ATOMIC

DST PORT = 25

TCP FLAGS = SYN,ACK= True; all other flags = False

DST ADDRESS = IP of SMTP server(s)

Severity = Informational

Default Alert Behavior = Alert Each Time

Caveats:

Anyone performing a SYN scan against your SMTP server(s) will unfortunately elicit a SYN,ACK. As a result, the Inbound rule is therefore going to be somewhat inaccurate.

That being said, the Outbound rule should be quite accurate since there should be no reason for any foreign system to send your SMTP SYN,ACK packets to TCP port 25 unless your SMTP has first sent a SYN packet to it. Again, there is a chance of inaccuracy due to scanning, but I believe unsolicited SYN,ACK packets should be less likely than inbound SYN packets that never result in an actual connection being established.

NOTE:

If you have some kind of SMTP gateway between your SMTP server(s) and the Internet, then you can further tune the signatures so that it uses the IP address of that system for the other end of the connections. Then you should get very accurate numbers.

Hope this helps,

Alex

darin.marais · ‎03-18-2004

What about just enabling signature 3000-TCP ports for port 25. just a thought!

a.arndt · ‎03-19-2004

Hey Darin,

I was going to suggest that one too, but then I considered the fact that the signature would fire anytime a SYN was detected for DST PORT 25.

Not the best if your trying to capture the number of e-mails sent/received by an SMTP server, since the numbers won't accurately reflect the desired result. Instead, every vanilla scan to TCP port 25 will cause the signature you suggest to fire.

BTW, please correct me if I'm wrong but I looked at one of my sensors running 4.1 and couldn't even find SigID 3000 (TCP Ports) or 4000 (UDP Ports). Are these no longer used?

Alex

darin.marais · ‎03-22-2004

Alex,

You are quite correct, thanks for pointing this out; it looks as if the TCP ports and UDP ports signature is not available with version 4.1; I guess your custom signature would be the answer.