I'm trying to create a signature that will fire when e-mails containing multipart/related ; and multipart/alternative. I created 2 individual Sig for each of the content types (Sigid-60004 and 60005)and was getting some hits. The traffic I'm looking to stop contains both Sig's and I'm in the process of creating a Meta Sig. I'm using the AIC HTTP engine and was wondering was this the best engine to examine traffic hitting my mail server? Thanks for any help.
I don't follow. How did you get the AIC HTTP engine to fire on SMTP traffic? What you're talking about above is MIME encapsulated email right? Take a look at S223. It uses the SMTP state engine, it appears that might be your best choice.
Sorry for the confusion, still very green at creating signatures. After looking at the log when the signature fired it was on HTTP traffic (Guess I get too happy after creating my first sig and having it fire). I'll take A look thanks.
Can I still look at content type in the SMTP state engine. I have one particular e-mail the gives me a *.gif (about some stock price) and some crazy text not related. After comparing message header from these messages I see that they all had a Content-Type: multipart/related;
My plan was to see if I could create a meta signature that would capture the traffic that meet both content types and find more infomation. I'm gettnig the messages from different domains so blocking the source was getting to be too much. Here are some Helo statements that I wasn't sure of:
Received: from [198.54.x.x] (helo=zfjzhh),
Received: from [82.255.x.x] (helo=qitc)
Not sure if that is normal of not, but I didn't see it in other mail messages I recieved. What would be my best approach? Anything that will put me on the path would be great. Thanks in advance.
Are you doing this just to practice making sigs? The reality is that it would be difficult to use an IDS/IPS to filter spam. the helo command doesn't necessarily imply SPAM, nor does the use of multipart messages.
Spammers are aware of static rules; each gif will probably be unique. They also constantly change IPs. Spam has dramatically increased over the last few months, and will continue to get more sophisticated.
Like the previous poster stated, the IDS will not do a very good job against spam. I would look to another anti-spam solution. We use GFI MailEssentials
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...