Snort mailing list archives
Re: SMTP rule "Access Denied for Mail Relay"
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 29 Dec 2009 22:25:08 -0500
On Tue, Dec 29, 2009 at 06:37:08PM -0500, volga629 () skillsearch ca wrote:
Hello, I added this alert to new smtp.rule alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Possible mail relay usage"; content:"Relaying denied"; flags:A+; classtype:trojan-activity; sid:1000001; rev:1;) When I tested snort in verbose snort -v i see smtp traffic going through, but no denied by snort. I wonder what else need add to snort ? Mail server is deny mail relay anyway, but i want the snort will do this job instead.
If I understand your request properly, you are trying to get Snort to deny traffic? As in, using Snort in an IPS (inline) capacity? Or are you simply trying to get Snort to alert on the traffic that your email server is sending? Sorry for the confusion. -- Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- SMTP rule "Access Denied for Mail Relay" volga629 (Dec 29)
- Re: SMTP rule "Access Denied for Mail Relay" Joel Esler (Dec 29)