Re: SMTP rule "Access Denied for Mail Relay"

[Joel Esler <jesler () sourcefire com>]

On Tue, Dec 29, 2009 at 06:37:08PM -0500, volga629 () skillsearch ca wrote:
>    Hello,
>
>    I added this alert to new smtp.rule
>
>    alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
>    (msg:"Possible mail relay usage"; content:"Relaying denied";
>    flags:A+; classtype:trojan-activity; sid:1000001; rev:1;)
>
>    When I tested snort in verbose snort -v i see smtp traffic going through,
>    but no denied by snort.
>
>    I wonder what else need add to snort ? Mail server is deny mail relay
>    anyway, but i want the snort will do this job instead.


If I understand your request properly, you are trying to get Snort to deny traffic?  As in, using Snort in an IPS 
(inline) capacity?

Or are you simply trying to get Snort to alert on the traffic that your email server is sending?

Sorry for the confusion.

-- 
Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs