[Snort-sigs] SMTP versus POP3

Michael Scheidell scheidell at ...249...
Sun Apr 28 19:43:01 EDT 2002

> | 
> | alert tcp any 80:110 -> any any
> | (but, done a lot of the rules depend on content headers? are then in web
> | based mail?)

one warning about the above:
better add in a buch of ' content: "Received";' rules to finter out false
positives. anyone validate that ANY pop3/hel mail client will leave at
least one received header?

Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...

More information about the Snort-sigs mailing list