[Snort-sigs] Not looking in Email

security people securitypeople at ...12...
Wed May 21 20:32:02 EDT 2003


Use something like the following:

alert tcp any any <> $SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+; content:
"/etc/passwd"; sid:1000004;)

Note the bidirectional sign <>


----- Original Message ----- 
From: "Esler, Joel Contractor" <EslerJ at ...785...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Wednesday, May 21, 2003 10:16 PM
Subject: [Snort-sigs] Not looking in Email


> I know it has to be possible, to write a rule that will look for
> something...  such as...
>
> alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
> "/etc/passwd"; sid:1000004;)
>
> I wrote that rule to look for the string "/etc/passwd" in traffic,
however,
> is there a way I can make it NOT look in email?  like if I define my SMTP
> servers in snort.conf and then write like
>
> alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....
>
> or something like that?
>
> Joel Esler
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list