[Snort-sigs] Not looking in Email

Dale L. Handy dhandy at ...1244...
Wed May 21 20:47:05 EDT 2003


Actually, what you want is:

alert tcp any any <> !$SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+; content:"/etc/passwd"; sid:1000004;)

or:

alert tcp any any <> $HOME_NET !25 (msg:"ETCPASSWD"; flags:A+; content:
"/etc/passwd"; sid:1000004;)

Of course, that won't stop it from looking in pop3 e-mail via port 110 or IMAP...


security people wrote:

>Use something like the following:
>
>alert tcp any any <> $SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+; content:
>"/etc/passwd"; sid:1000004;)
>
>Note the bidirectional sign <>
>
>
>----- Original Message ----- 
>From: "Esler, Joel Contractor" <EslerJ at ...785...>
>To: <snort-sigs at lists.sourceforge.net>
>Sent: Wednesday, May 21, 2003 10:16 PM
>Subject: [Snort-sigs] Not looking in Email
>
>
>  
>
>>I know it has to be possible, to write a rule that will look for
>>something...  such as...
>>
>>alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
>>"/etc/passwd"; sid:1000004;)
>>
>>I wrote that rule to look for the string "/etc/passwd" in traffic,
>>    
>>
>however,
>  
>
>>is there a way I can make it NOT look in email?  like if I define my SMTP
>>servers in snort.conf and then write like
>>
>>alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....
>>
>>or something like that?
>>
>>Joel Esler
>>
>>
>>-------------------------------------------------------
>>This SF.net email is sponsored by: ObjectStore.
>>If flattening out C++ or Java code to make your application fit in a
>>relational database is painful, don't do it! Check out ObjectStore.
>>Now part of Progress Software. http://www.objectstore.net/sourceforge
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>    
>>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>  
>

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dale at ...1527...          (208) 552-5332 (work)          (208) 403-6424 (cell)






More information about the Snort-sigs mailing list