Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Example Up: SMTP Preprocessor Previous: SMTP Preprocessor   Contents

Configuration

SMTP has the usual configuration items, such as port and inspection_type. Also, SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In addition, regular mail data can be ignored for an additional performance boost. Since so few (none in the current snort rule set) exploits are against mail data, this is relatively safe to do and can improve the performance of data inspection.

The configuration options are described below:

26.
ports { <port> [<port>] ... }

This specifies on what ports to check for SMTP data. Typically, this will include 25 and possibly 465, for encrypted SMTP.

27.
inspection_type <stateful | stateless>

Indicate whether to operate in stateful or stateless mode.

28.
normalize <all | none | cmds>

This turns on normalization. Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab (ASCII 0x09).

all checks all commands

none turns off normalization for all commands.

cmds just checks commands listed with the normalize_cmds parameter.

29.
ignore_data

Ignore data section of mail (except for mail headers) when processing rules.

30.
ignore_tls_data

Ignore TLS-encrypted data when processing rules.

31.
max_command_line_len <int>

Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length.

32.
max_header_line_len <int>

Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length.

33.
max_response_line_len <int>

Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length.

34.
alt_max_command_line_len <int> { <cmd> [<cmd>] }

Overrides max_command_line_len for specific commands.

35.
no_alerts

Turn off all alerts for this preprocessor.

36.
invalid_cmds { <Space-delimited list of commands> }

Alert if this command is sent from client side. Default is an empty list.

37.
valid_cmds { <Space-delimited list of commands> }

List of valid commands. We do not alert on commands in this list. Default is an empty list, but preprocessor has this list hard-coded: { ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN } { HELO HELP IDENT MAIL NOOP QUIT RCPT RSET SAML SOML SEND ONEX QUEU } { STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE } { XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR }

38.
alert_unknown_cmds

Alert if we don't recognize command. Default is off.

39.
normalize_cmds { <Space-delimited list of commands> }

Normalize this list of commands Default is { RCPT VRFY EXPN }.

40.
xlink2state { enable | disable [drop] }

Enable/disable xlink2state alert. Drop if alerted. Default is enable.

41.
print_cmds

List all commands understood by the preprocessor. This not normally printed out with the configuration because it can print so much data.

next up previous contents
Next: Example Up: SMTP Preprocessor Previous: SMTP Preprocessor   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.