Snort Rule to capture outbound email traffic

["Pennell, Ronald B." <rpennell () ida org>]

I have the following snort rule setup to capture all outbound email
(smtp) traffic, but, yet I have not seen any traffic.

 

I figured that I should see an entry for each mail msg that is going
outbound from my organization.

 

alert tcp $SMTP_SERVERS any -> any 25

( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server; content:
"MAIL FROM"; nocase; classtype: misc-activity;)

 

This is setup as a "local rule" and pushed to all my sensors.

 

In the acid viewer I see the classtype but it doesn't contain any of the
outbound msgs.

 

Where am I going wrong?

 

Ron Pennell

rpennell () ida org