Snort mailing list archives
Re: SMTP Rule
From: Martin Holste <mcholste () gmail com>
Date: Wed, 7 Sep 2011 08:15:05 -0500
You can do this with flowbits and two rules. You use "flowbits:set,SMTP.Flowbit" (the name of the flowbit doesn't matter as long as it is unique). Then you make a second rule which has the other content match for the "TO" address which checks that the first flowbit was set like this: "flowbits:isset,SMTP.Flowbit." See the Snort manual for details on flowbits, and have a look at the current Snort ruleset for how they were used. On Wed, Sep 7, 2011 at 4:59 AM, vmpc vmpc <packetstack () gmail com> wrote:
Hello, I am having difficulty writing a rule. To keep it simple, I will explain it this way. Basically, I would like to create a rule that will check for the following SMTP traffic pattern: content: From:blah () blah com; content: RCPT.To:blah () blah net. The problem is that in a SMTP session, the FROM and the RCPT are on separate packets. I would have to look at two different packets in order to generate an alert. I don't know if that is possible. So ultimately, I would like to know if it is possible to write a rule which will look at all packets in a session and if it matches the contents of the rule, it generates an alert. Thanks! ------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Using storage to extend the benefits of virtualization and iSCSI Virtualization increases hardware utilization and delivers a new level of agility. Learn what those decisions are and how to modernize your storage and backup environments for virtualization. http://www.accelacomm.com/jaw/sfnl/114/51434361/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SMTP Rule vmpc vmpc (Sep 07)
- Re: SMTP Rule Martin Holste (Sep 07)