Re: advice on content rule for outgoing email

[Matt Kettler <mkettler () evi-inc com>]

At 07:31 PM 6/23/2004, jeffs () speakeasy net wrote:
> Hello, and I'm glad to be part of this list.  I have snort version 2.1.3 
> running on IPCop and I am very pleased with its results.
>
> I am familiar with writing rules although not terribly experienced with 
> it.  That is, I am familiar with the meaning behind many of the tags.
>
> Okay.  So I need a rule that will scan outgoing email content (not pop3 or 
> smtp protocol, but rather IMAP emails, i.e, going to port 80) for 
> particular phrases or text.  I have succeeded in doing this with a simple 
> rule, but that simple rule also brings up alerts when those phrases are 
> found in web pages due to normal surfing.
>
> Anyway around this?

Are you sure you mean IMAP? IMAP should be port 143, 220 or 993, not port 80.

Perhaps you meant webmail, in which case, no, there's no good way other 
than by cataloging destination IPs for all the webmail service providers in 
the world.



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users