Snort mailing list archives
Help with SMTP Rule
From: Ricardo Londoño <ricardo () datawan net>
Date: Mon, 25 Nov 2002 12:04:14 -0600
I need some help tryting to write a custom rule. Basically I need to write a rule that captures all SMTP traffic where the MAIL FROM is NOT a specific domain. I have come up with the following but I don't think it is work right. I'm capturing other misc traffic. I also think my problem lies in that I don't want to single out a specific user. So I need the rule to be flexible in that any user from any domain with the exception of the allowed domain will be logged. alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal Mail From"; content:!"mail from|3a| @specificdomain.com"; depth: 22; classtype:misc-activity; nocase sid:1000005; rev:1;) any help would be greatly appreciated. thx Ricardo
Current thread:
- Help with SMTP Rule Ricardo Londoño (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)
- Re: Help with SMTP Rule Ricardo Londoño (Nov 25)
- RE: Help with SMTP Rule Don (Nov 25)
- <Possible follow-ups>
- RE: Help with SMTP Rule Hicks, John (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)