Menu
▾
▴
Re: [Snort-inline-users] Snort_inline and POP3 loop
|
From: Will M. <wil...@gm...> - 2005-08-01 18:57:20
|
I don't think you should be using snort+clam or snort rules in general to filter out malicous attachments in mail. There far better solutions for this that live on your mail gateway. If you want to use Clam against your mail server take a look at the clamav-milter. Regards, Will On 7/29/05, Eric Scopinho <eri...@uo...> wrote: > Hi, maybe this is a silly question, but lets say I have a rule for POP3 > blocking a malware (it can be a normal rule or using ClamAV preprocessor)= . > When an internal user try to download the message, the packet wich > contain the malware will be drop (NF_DROP I guess). > But since the email is still in his mailbox, this will not stay in > looping and the user will be unable of downloading the other messages > until someone remove the email from his mbox? > If the above is true, is there some way of intercept 'trasnparently' the > packet and send a DELE msg to the POP3 Server? Maybe changing the > payload/saddr/daddr, etc of this packet using libipq? >=20 > Regards, >=20 > Eric Scopinho >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO Septem= ber > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
