[Snort-sigs] SMTP versus POP3
Michael Scheidell
scheidell at ...249...
Sun Apr 28 19:43:01 EDT 2002
> |
> | alert tcp any 80:110 -> any any
> | (but, done a lot of the rules depend on content headers? are then in web
> | based mail?)
one warning about the above:
better add in a buch of ' content: "Received";' rules to finter out false
positives. anyone validate that ANY pop3/hel mail client will leave at
least one received header?
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/
More information about the Snort-sigs
mailing list