[Snort-sigs] Not looking in Email
Esler, Joel Contractor
EslerJ at ...785...
Wed May 21 19:38:06 EDT 2003
I know it has to be possible, to write a rule that will look for
something... such as...
alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
I wrote that rule to look for the string "/etc/passwd" in traffic, however,
is there a way I can make it NOT look in email? like if I define my SMTP
servers in snort.conf and then write like
alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....
or something like that?
More information about the Snort-sigs