[Snortsam-discussion] snortsam not sending emails
Frank Knobbe
frank at snortsam.net
Thu Aug 27 18:42:19 EDT 2009
On Thu, 2009-08-27 at 14:10 +0200, Ondrej Pesta wrote:
> Hi.
> I have a problem with snortsam 2.60. If a rule matches, snort
> successfully notices snortsam and snortsam at host 192.168.1.100 adds
> "deny" rule in my FreeBSD 7.2 ipfw firewall.
> Unfortunately it doesn't send emails. This il the "email" line from my
> snortsam.conf file.
>
> email 192.168.1.33 netadmin at mydomain.tld snortsam at mydomain.tld
>
> On 192.168.1.33 I have open relay SMTP server with postfix.
> When rule matches, I can see line "connect from unknown[192.168.1.100]"
> in my postfix maillog.
> But then it waits for something and nothing else happens.
Any error messages in snortsam.log? (like "Did not receive a response
from mail server at 192.168.1.33" or such?)
Snortsam just waits for the normal "220" banner from the mail server,
says "HELO", waits for "250" status, and so on. Capture that mail
session with ngrep and see where it fails. Perhaps Postfix is hanging
trying to resolve your internal IP address? It could be that Snortsam is
timing out before Postfix is timing out. The ngrep session capture of
the mail session should tell you where the problem is.
Regards,
Frank
More information about the Snortsam-discussion
mailing list