• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort Custom rules?

Scheduled Pinned Locked Moved IDS/IPS
1 Posts 1 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    killmasta93
    last edited by Jun 8, 2017, 2:41 AM

    Hi,
    I was wondering if someone else has accomplish this? Right now the ports that I have opened are: 5060, 80, 443, 465, 25, 995, 993, FTP. Recently on my mail logs i see many

    ```
    SASL LOGIN authentication failed

    
    The postfix has fail2ban which blocks it but wanted to take it up a notch, also with the website have been seeing some
    
    

    "HEAD http://mydomain:80/phpmyadmin2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee"

    
    Which of course I have the phpmyadmin restricted though NGINX to internal IP
    But was wondering how I can mitigate for future attacks
    
    This is what i got so far for the SMTPS not sure if this would work
    
    

    alert tcp $EXTERNAL_NET any -> any 465 (msg:"SASL LOGIN authentication failed"; threshold: type limit, track by_src, count 1, seconds 60; content:"authentication failed"; nocase; classtype:suspicious-login; sid:9000032; rev:2;)

    
    Thank you

    Tutorials:

    https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received