Simple Snort Rule Help

["Pennell, Ronald B." <rpennell () ida org>]

Help, Please

 

I'm trying to capture an alert for each email message that is going
outbound for my organization.  

 

I've tried the following rule and my Snort Admin had it tagged to the
bad_unknown class.  When I check the ACID viewer it never gets logged.

 

Do I need to create a special class for this and try to separate it from
the bad_unknown class?  Can we setup special classes?

 

 If so how I would do that?

 

Or, is the below statement not going to work?

 

 

Alert tcp $SMTP_NET any --> any 25 (msg:"outgoing SMTP";)

 

 

rpennell () ida org