Snort mailing list archives
Re: new to snort
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 07 Feb 2005 13:21:15 -0500
Ahh, good point, I missed the "mail" part of the original question..You probably want flags:S+ as well, unless you want to log every packet in the mail transfer, and not just the initial connection request.
At 12:13 PM 2/7/2005, Leon Ward wrote:
I think you may want to specify a destination port of 25 there as well (for SMTP outbound). alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"LOCAL traffic from home to external";) -Leon > On Mon, 2005-02-07 at 11:25 -0500, Matt Kettler wrote: > At 10:27 AM 2/7/2005, Jürgen Schinker wrote:> >can somebody write me a rule to detect simple mail Traffic from HOME_NET ->> >EXTERNAL_NET? > > alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL traffic from home > to external";)
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new to snort Jürgen Schinker (Feb 07)
- Message not available
- Re: new to snort Matt Kettler (Feb 07)
- Re: new to snort Leon Ward (Feb 07)
- Re: new to snort Matt Kettler (Feb 07)
- Re: new to snort Matt Kettler (Feb 07)
- Message not available
- Re: new to snort Alex Butcher, ISC/ISYS (Feb 08)