Snort mailing list archives

Re: SMTP rule needed

From: Andreu.Gomez () keisa intrakom com
Date: Wed, 10 Apr 2002 09:31:07 +0100

Would this catch traffic going to 'hotmail' as well?
Thanks anyway it seems to work
Paul


No, I don't think so. Hotmail is a web based email service, so it doesn't
use port 25. To do so you should write a new rule, something like

alert tcp any any -> any 80(msg:"Hotmail access";content:"hotmail.com";
flags: A+; nocase; classtype:misc-activity;)

Bear in mind that hotmail has several servers like law4.lc3.hotmail.com so
it's difficult to set up a new rule only for hotmail. If you knew all its
IP addresses...

I hope this is useful for you
andreu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Matt Kettler (Apr 09)
- <Possible follow-ups>
- Re: SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Andreu . Gomez (Apr 10)
- RE: SMTP rule needed Wirth, Jeff (Apr 10)