[Snort-sigs] Not looking in Email

Esler, Joel Contractor EslerJ at ...785...
Wed May 21 19:38:06 EDT 2003


I know it has to be possible, to write a rule that will look for
something...  such as...

alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
"/etc/passwd"; sid:1000004;)

I wrote that rule to look for the string "/etc/passwd" in traffic, however,
is there a way I can make it NOT look in email?  like if I define my SMTP
servers in snort.conf and then write like

alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....

or something like that?

Joel Esler




More information about the Snort-sigs mailing list