Short answer: It's probably going to be impossible to write a signature that won't give you tons of false positives. The problem is that there is virutally no difference between someone manually typing mail commands via telnet to port 25 and a standard SMTP program sending the same commands.
Long answer: There was an interesting thread on this topic recently on the firewalls mailing lists. Go to the archives here: http://www.nextrieve.com/knowledge/ and search in the firewalls list for 'telnet to port 25' for the year 2002 and you'll find some interesting tidbits related to trying to distinguish between a manual telnet to port 25 and a connection via an SMTP program. Bottom line, see the short answer. ;-) As far as writing custom sigs, see the Cisco docs, they show you how to do this. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Cisco Breaker Sent: Monday, April 15, 2002 11:52 PM To: [EMAIL PROTECTED] Subject: Signature for blocking telnet to SMTP server [7:41565] Hi, Is it possible to block telnet to SMTP server from port 25 with IDS. I want to create a custom signature for this but I don't know how this can be done. If I write a signature beginning with hello it will block all mail traffic because all of them starts with hello as I know. And are there any resources that tells how to write a custom signature. We are using CSPM 2.3.3i. Any help will be appreciated. Best regards, Cisco Breaker Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41607&t=41565 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
