Re: Snort Rule to capture outbound email traffic

[Frank Knobbe <frank () knobbe us>]

On Tue, 2005-06-21 at 14:59 -0400, Pennell, Ronald B. wrote:

>                 alert tcp $SMTP_SERVERS any -> any 25
>                                    
>                                    
>     ( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server;
>        content: "MAIL FROM"; nocase; classtype: misc-activity;)
>                                    
>                                    
> In the acid viewer I see the classtype but it doesn’t contain any of
> the outbound msgs.

> Where am I going wrong?

You are using the flow statement wrong. Check for existing sessions that
go to the server. Use: " flow:established,to_server; "

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part