Snort mailing list archives

Re: new to snort

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 08 Feb 2005 09:49:21 +0000

--On 07 February 2005 16:27 +0100 Jürgen Schinker<ba1020 () homie homelinux net> wrote:

can somebody write me a rule to detect simple mail Traffic from HOME_NET
-> EXTERNAL_NET?


Assuming you just mean SMTP by 'simple mail traffic':

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SMTP detected";flow:established; sid:3000001;)


should do the job.

Remove 'flow:established' if you want to detect SMTP scans as well assuccessfully-established connections.

thanks
Jürgen


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

new to snort Jürgen Schinker (Feb 07)
- Message not available
  - Re: new to snort Matt Kettler (Feb 07)
    - Re: new to snort Leon Ward (Feb 07)
    - Re: new to snort Matt Kettler (Feb 07)
- Re: new to snort Alex Butcher, ISC/ISYS (Feb 08)