Snort Custom rules?
I was wondering if someone else has accomplish this? Right now the ports that I have opened are: 5060, 80, 443, 465, 25, 995, 993, FTP. Recently on my mail logs i see many
SASL LOGIN authentication failed
The postfix has fail2ban which blocks it but wanted to take it up a notch, also with the website have been seeing some
"HEAD http://mydomain:80/phpmyadmin2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee"
Which of course I have the phpmyadmin restricted though NGINX to internal IP But was wondering how I can mitigate for future attacks This is what i got so far for the SMTPS not sure if this would work
alert tcp $EXTERNAL_NET any -> any 465 (msg:"SASL LOGIN authentication failed"; threshold: type limit, track by_src, count 1, seconds 60; content:"authentication failed"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)