[Snort-sigs] SMTP versus POP3

Michael Scheidell scheidell at ...249...
Sun Apr 28 19:43:01 EDT 2002


> | 
> | alert tcp any 80:110 -> any any
> | (but, done a lot of the rules depend on content headers? are then in web
> | based mail?)

one warning about the above:
better add in a buch of ' content: "Received";' rules to finter out false
positives. anyone validate that ANY pop3/hel mail client will leave at
least one received header?

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list