Re: Simple Snort Rule Help

[Matt Kettler <mkettler () evi-inc com>]

Pennell, Ronald B. wrote:

> Help, Please
>
>
>
> I'm trying to capture an alert for each email message that is going
> outbound for my organization.  
>
>
>
> I've tried the following rule and my Snort Admin had it tagged to the
> bad_unknown class.  When I check the ACID viewer it never gets logged.
>
>
>
> Do I need to create a special class for this and try to separate it from
> the bad_unknown class?  Can we setup special classes?
>
>
>
> If so how I would do that?
>
>
>
> Or, is the below statement not going to work?
>
>
>
>
>
> Alert tcp $SMTP_NET any --> any 25 (msg:"outgoing SMTP";)
>  

Well, that's a very simplistic approach. However, there's only 1 dash in ->.

Also, this assumes SMTP_NET is declared correctly.

Note however, this rule will alert for every packet, not every message.

You might want to add a flow, and a content rule. The content rule will
let you count messages, as each connection may have many messages in it.

alert tcp $SMTP_NET any -> any 25 (msg:"outgoing
SMTP";flow:to_server;content:"MAIL FROM";nocase;classtype:misc-activity;)

You can change the classtype to any of the classes in
etc/classification.config. If you need to create your own, use the
entries in classification.config as a template.







-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users