[Snort-sigs] sid 567 - SMTP Relaying

shanew at ...94... shanew at ...94...
Tue Oct 2 09:28:05 EDT 2001


I decided to turn on just a few of the policy rules, and discovered
that the SMTP Relaying denied rule doesn't work right.  So much, that
in fact it caught two false positives while missing a number of actual
hits.

While rev 2 made it a tighter rule with the addition of the "550 "
string, the direction of the arrows still seems to be interpreted
wrong by snort.  When I flip it to look like:
$SMTP 25 -> $EXTERNAL_NET any

it works as expected.

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew





More information about the Snort-sigs mailing list