""GPL SMTP AUTH LOGON brute force attempt""

SID: 2102275

Revision: 3

Class Type: suspicious-login

Metadata: created_at 2010_09_23, updated_at 2012_01_16

Reference:

Protocol: tcp

Source Network: $SMTP_SERVERS

Source Port: 25

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: from_server,established

Contents:

  • Value: "Authentication unsuccessful"

Offset: 54

Within:

PCRE:

Special Options:

  • nocase

source