RE: Help with SMTP Rule

["Hicks, John" <JHicks () JUSTICE GC CA>]

IMHO your setting yourself up for alot of traffic here. The way I read this
is, anything sent from HOME_NET to anything on port 25 that doesn't contain
'mail from|3a| @specificdomain.com'. This setup is sure to log every part of
the email being sent but the logon!
 
Despite the question of whether it can be done or not (
<http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9>
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.9), I don't
think it's what you want. I'd suggest modifying it using the previous
SMTP_Server rule you used and use somethign like this:
 
alert tcp $HOME_NET any -> !SMTP_SERVERS 25 (msg:"POLICY SMTP illegal Mail
From"; content:"mail from|3a| @specificdomain.com"; depth: 22;
classtype:misc-activity; nocase sid:1000005; rev:1;)
 
This should be able to catch any 'mail from|3a| @specificdomain.com' sent to
port 25 on system otehr than allowed SMTP_SERVERS.
 
HTH,
John

-----Original Message-----
From: Ricardo Londoño [mailto:ricardo () datawan net]
Sent: Monday, November 25, 2002 1:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Help with SMTP Rule


I need some help tryting to write a custom rule.
 
Basically I need to write a rule that captures all SMTP traffic where the
MAIL FROM is NOT a specific domain.  I have come up with the following but I
don't think it is work right.  I'm capturing other misc traffic.  I also
think my problem lies in that I don't want to single out a specific user.
So I need the rule to be flexible in that any user from any domain with the
exception of the allowed domain will be logged.
 
alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal Mail From";
content:!"mail from|3a| @specificdomain.com"; depth: 22;
classtype:misc-activity; nocase sid:1000005; rev:1;)
 
 
any help would be greatly appreciated.
 
thx
 
 
Ricardo