Snort mailing list archives
Re: Help with SMTP Rule
From: Ricardo Londoño <ricardo () datawan net>
Date: Mon, 25 Nov 2002 22:29:39 -0600
that looks better! I will try it! thanks Ricardo ----- Original Message ----- From: "Brian" <bmc () snort org> To: "Ricardo Londoño" <ricardo () datawan net> Cc: <snort-users () lists sourceforge net> Sent: Monday, November 25, 2002 7:40 PM Subject: Re: [Snort-users] Help with SMTP Rule On Mon, Nov 25, 2002 at 12:04:14PM -0600, Ricardo Londoño wrote:
Basically I need to write a rule that captures all SMTP traffic where the MAIL FROM is NOT a specific domain. I have come up with the following but I don't think it is work right. I'm capturing other misc traffic. I also think my problem lies in that I don't want to single out a specific user. So I need the rule to be flexible in that any user from any domain with the exception of the allowed domain will be logged. alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal Mail From"; \ content:!"mail from|3a| @specificdomain.com"; depth: 22; \ classtype:misc-activity; nocase sid:1000005; rev:1;)
Try this: alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal mail from"; \ content:"mail from|3a| "; nocase; content:!"@specificdomain.com"; \ within:100; classtype:misc-activity; nocase sid:1000005; rev:2;) -brian ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with SMTP Rule Ricardo Londoño (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)
- Re: Help with SMTP Rule Ricardo Londoño (Nov 25)
- RE: Help with SMTP Rule Don (Nov 25)
- <Possible follow-ups>
- RE: Help with SMTP Rule Hicks, John (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)