[Snort-sigs] Not looking in Email

Esler, Joel Contractor EslerJ at ...785...
Wed May 21 20:35:05 EDT 2003

but that DOES look in SMTP servers, I don't want it to look in email, I want
it to look in the rest of the traffic...


-----Original Message-----
From: security people [mailto:securitypeople at ...12...]
Sent: Wednesday, May 21, 2003 11:31 PM
To: Esler, Joel Contractor; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Not looking in Email

Use something like the following:

alert tcp any any <> $SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+; content:
"/etc/passwd"; sid:1000004;)

Note the bidirectional sign <>

----- Original Message ----- 
From: "Esler, Joel Contractor" <EslerJ at ...785...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Wednesday, May 21, 2003 10:16 PM
Subject: [Snort-sigs] Not looking in Email

> I know it has to be possible, to write a rule that will look for
> something...  such as...
> alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
> "/etc/passwd"; sid:1000004;)
> I wrote that rule to look for the string "/etc/passwd" in traffic,
> is there a way I can make it NOT look in email?  like if I define my SMTP
> servers in snort.conf and then write like
> alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....
> or something like that?
> Joel Esler
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list