The 421.... is sent to wrong peer for preHeaderRe - this will be fixed.
>Also, is there a way to have specific matches from preHeaderRe make the
ip
score extreme right away
No. preHeaderRe is designed and used to protect assp from dangerous
content. If a match is found for preHeaderRe, the connection is terminated
by processing a minimal code part.
To score this misbehavior, let the client do the wrong things and catch
the misbehavior with 'MaxErrors'.
Thomas
Von: K Post <[email protected]>
An: ASSP development mailing list <[email protected]>
Datum: 15.05.2016 18:02
Betreff: [Assp-test] preHeaderRe not working as expected, Chinese
hack attempts HEAD /favicon.ico HTTP/1.0
We're getting TONS of requests, all from Chinese IP's sending
HEAD /favicon.ico HTTP/1.0
close
(and a blank line)
through ASSP. Essentially, our server says helo, their server responds
with the "head" line above, we say that's not valid, they say close, we
say, that's not valid, they send a blank line, we say not valid, and they
disconnect.
I'm not sure what they're trying to accomplish, but its happening...
https://www.abuseipdb.com/check/219.145.184.210 has a similar report.
https://www.abuseipdb.com/check/117.27.245.185
I've added
HEAD /favicon\.ico HTTP/1\.0
to my preHeaderRe file thinking that this would stop our smtp server from
receiving the command, and it does but not how I'd expect.
Before, we were seeing this logged on our smtp server
SENT 220 smtp.ourcharity.org
RECEIVED: HEAD /favicon.ico HTTP/1.0
SENT: 503 Bad sequence of commands
RECEIVED: close
SENT: 503 Bad sequence of commands
RECEIVED: <-- blank line
SENT: 503 Bad sequence of commands
now we're getting
SENT 220 smtp.ourcharity.org
RECEIVED: 421 assp.ourcharity.org Service not available, closing
transmission channel
SENT: 503 Bad sequence of commands
So it seems that ASSP is in fact stopping the hacker from sending the head
line to our smtp server and terminating the session, but ASSP is sending
the 421 to our server NOT (or not only) to the sending server.
I don't know if this is by design, if I'm just not understanding, or what,
but I was hoping that ASSP would
1) Intercept the bad HEAD /favicon\.ico HTTP/1\.0 line
2) send a "quit" command to our SMTP server to gracefully close the
session
without the unexpected 421 line that our smtp server doesn't know how to
handle
3) send a 421 or whatever to the other smtp server saying to go away
Also, is there a way to have specific matches from preHeaderRe make the ip
score extreme right away - or if that's even a good idea? I was thinking
of being able to add a weight to preHeaderRe or something along those
lines
to score the IP.
Other suggestions or thoughts? Are other people seeing this?
Thanks.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data
untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
