Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SMTP Rule

From: vmpc vmpc <packetstack () gmail com>
Date: Wed, 7 Sep 2011 11:59:16 +0200
Hello,

I am having difficulty writing a rule.

To keep it simple, I will explain it this way.

Basically, I would like to create a rule that will check for the following
SMTP traffic pattern:

content: From:blah () blah com; content: RCPT.To:blah () blah net.

The problem is that in a SMTP session, the FROM and the RCPT are on separate
packets. I would have to look at two different packets in order to generate
an alert. I don't know if that is possible.

So ultimately, I would like to know if it is possible to write a rule which
will look at all packets in a session and if it matches the contents of the
rule, it generates an alert.

Thanks!

------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: