Below is the custom signature I created to catch rogue smtp engines on my network. Many of the alarm does not have DST/SRC ports or IP's. About ten % of the alarms have correct information. Am I missing something in my custom sig? After applying this sig, my 4230 cpu utilization jumped to 15% from ~10% (not significant).
Sample (no dst port or ip): 5/4/2003 | 8:58:18 | OUT | OUT | 5|20005 | 22.214.171.124 | 0.0.0.0 | 3611 | 0 - Interval Summary: 1 of total 809 alarms
Ok, this has a couple of problems. First, if you really only want to catch "rogue" SMTP server. It would be better to look for SYN/ACK packets coming from port 25 instead of looking for a SYN to 25. This will tell you that a service is actually listening. Second, I'd use the SinglePacketRegex to look for a "220" pattern. This will better indicate a SMTP server. Lastly, don't forget to filter out your legitimate SMTP server as sources. Try this signature:
Thanks for your prompt reply and let me get a little more specific about my objective. I'm actually looking for Trojans that has it's own smtp engine. Spammers are using these pc's that has been compromised with these Trojans (i.e. Proxy-Guzu) to send out spam emails to whatever mail domain they choose. These engines are not necessarily listening for incomming mail.
Okay, it looks like your original problem is that you are recieving too many alarms and the alarms are then summerized. Summerized alarms do not contain specific information for each alarm because they represent many alarms. You will have to filter out all of your SMTP servers in order to get the alarm levels down so that the sensor does not summerize. From there you will find the specific information that you are looking for.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...