Filtering SMTP EHLO



  • I'm looking for a way to filter IPs by specific EHLO values in SMTP traffic.  I've heard that this can be done via SNORT as a custom rule.

    Any help in how this can be done?

    Thanks.



  • Hi.

    https://www.snort.org/faq/readme-smtp

    invalid_cmds { } * Alert if this command is sent from client side. DEFAULT empty list

    valid_cmds { } * List of valid commands. We do not alert on commands in this list. DEFAULT empty list, but preprocessor has this list hard-coded: { ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN } { HELO] HELP IDENT MAIL NOOP QUIT RCPT RSET SAML SOML SEND ONEX QUEU } { STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE } { XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR }

    Maybe adding EHLO to invalid_cmds{ } and delete EHLO at valid_cmds { }  … but I do not try it , only I saw it at Snort FAQ

    Regards



  • Thanks for the post.

    I will admit that I have no clue what that is or how I could manipulate it to my needs.  I will search the snort FAQ for more information.

    Any one else with insight into this is more then welcome.  :)



  • Hi.

    One snort.conf example with smtp setup.
    But I do not know if is right for the pfsense snort version

    https://www.snort.org/documents/snort-2980-conf

    # SMTP normalization and anomaly detection.  For more information, see README.SMTP
    preprocessor smtp: ports { 25 465 587 691 } \
        inspection_type stateful \
        b64_decode_depth 0 \
        qp_decode_depth 0 \
        bitenc_decode_depth 0 \
        uu_decode_depth 0 \
        log_mailfrom \
        log_rcptto \
        log_filename \
        log_email_hdrs \
        normalize cmds \
        normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
        normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
        normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
        normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
        max_command_line_len 512 \
        max_header_line_len 1000 \
        max_response_line_len 512 \
        alt_max_command_line_len 260 { MAIL } \
        alt_max_command_line_len 300 { RCPT } \
        alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
        alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
        alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
        valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ 
        valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
        valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
        valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
        xlink2state { enabled }
    

    Regards.



  • Hi.

    More about … :)

    @BBcan177:

    I have tried to do this in postfix but couldn't find a solution, so I ended up adding a custom rule to Snort…

    Getting hit by a usually EHLO  ylmf-pc  (Chinese OS)

    Snort won't block it fast enough to prevent a couple login attempts, but it will stop an IP after about three attempts. This is because currently Snort is acting on a copy of the packet.

    alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP EHLO from ylmf-pc attempt"; threshold: type limit, track by_src, count 1, seconds 60; content:"ylmf-pc"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)

    Rgards.


Log in to reply