Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Chat » Snort Challenge - inline mode

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort Challenge - inline mode


Posted by brevizniak on December 04, 2005 16:56:52

How can you use inline mode to handle mass mailing viruses or spammers without backing up mail servers with hundreds or thousands of mails?

Posted by snorrrtyd on January 04, 2006 17:56:21

So I see the challenges but are there prizes if we answer correctly?

Posted by lazzy8 on January 05, 2006 18:33:58

Maybe I'm misunderstanding the challenge but the answer seems pretty obvious. Configure snort-inline rules to block spam and virus mail traffic. I'd probably download the bleeding-edge and snort virus/spam rules and whatever other rules I want to use. Have them updated via oinkmaster and edit them w/ a search and replace to have the signatures "reject" the traffic instead of alert. (something like sed -e 's/^alert/drop/g'). You can have cron update the sigs do the search and replace daily .
I'd also install clamav and do av scanning w/ snort-inline clamav preprocessor.

Posted by brevizniak on January 06, 2006 14:10:34

Do not forget to consider this portion of the challenge

"without backing up mail servers"

Performing a drop on content in the middle of a session will cause the sending mail server ( most likely yours ) to hold the mail for a period of days and attempt to resend it many times.

The spammer case is more a consideration for a company or university that may have a spammer inside using the network to send mail.

Posted by jengcoil on January 21, 2006 09:59:24

hello world

Posted by sfjennifer on June 05, 2006 07:43:47

Sure we will give a $25 gift certificate to the Snort store to the best answered received by February 1st.

Details are available at http://www.snort.org/pub-bin/snortnews.cgi#197.

Good luck!
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.