Snort mailing list archives

RE: Problem getting a snort rule to work

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Thu, 14 Apr 2005 09:34:31 -0400

You are missing the source port in your alerts.
 
Try:
 
Alert tcp $SMTP_NET any*à any 25 (msg:"outgoing SMTP";)
 
Bruce
 
  _____  

From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Pennell, Ronald B.
Sent: Thursday, April 14, 2005 8:59 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Problem getting a snort rule to work



I'm extremely new to snort and have been trying to get a simple snort rule to work.

 

I'm task with grabbing an alert for every email message that is going outbound from my organization.

 

I've tried using the following local rule:

 

Alert tcp $SMTP_NET --> any 25

 

Alert udp    "                    "     "

 

Alert tcp $HOME_Net      "   "

 

When I check the acid viewer, I see no traffic at all.

 

Any help would be greatly appreciated.

 

Ron Pennell

rpennell () ida org

Current thread:

Problem getting a snort rule to work Pennell, Ronald B. (Apr 14)
- <Possible follow-ups>
- RE: Problem getting a snort rule to work Briggs, Bruce (Apr 14)