Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Custom rules?

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killmasta93
      last edited by

      Hi,
      I was wondering if someone else has accomplish this? Right now the ports that I have opened are: 5060, 80, 443, 465, 25, 995, 993, FTP. Recently on my mail logs i see many

      ```
      SASL LOGIN authentication failed

      
The postfix has fail2ban which blocks it but wanted to take it up a notch, also with the website have been seeing some

      "HEAD http://mydomain:80/phpmyadmin2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee"

      
Which of course I have the phpmyadmin restricted though NGINX to internal IP
But was wondering how I can mitigate for future attacks

This is what i got so far for the SMTPS not sure if this would work

      alert tcp $EXTERNAL_NET any -> any 465 (msg:"SASL LOGIN authentication failed"; threshold: type limit, track by_src, count 1, seconds 60; content:"authentication failed"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)

      
Thank you

      Tutorials:

      https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.