[Snort-sigs] Not looking in Email

security people securitypeople at ...12...
Thu May 22 04:57:07 EDT 2003


Yes that is correct. Sorry I forgot to put the ! sign in my previous
posting.

----- Original Message ----- 
From: "Dale L. Handy" <dhandy at ...1244...>
To: <snort-sigs at lists.sourceforge.net>
Cc: "Esler, Joel Contractor" <EslerJ at ...785...>
Sent: Wednesday, May 21, 2003 11:45 PM
Subject: Re: [Snort-sigs] Not looking in Email


> Actually, what you want is:
>
> alert tcp any any <> !$SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+;
content:"/etc/passwd"; sid:1000004;)
>
> or:
>
> alert tcp any any <> $HOME_NET !25 (msg:"ETCPASSWD"; flags:A+; content:
> "/etc/passwd"; sid:1000004;)
>
> Of course, that won't stop it from looking in pop3 e-mail via port 110 or
IMAP...
>
>
> security people wrote:
>
> >Use something like the following:
> >
> >alert tcp any any <> $SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+;
content:
> >"/etc/passwd"; sid:1000004;)
> >
> >Note the bidirectional sign <>
> >
> >
> >----- Original Message ----- 
> >From: "Esler, Joel Contractor" <EslerJ at ...785...>
> >To: <snort-sigs at lists.sourceforge.net>
> >Sent: Wednesday, May 21, 2003 10:16 PM
> >Subject: [Snort-sigs] Not looking in Email
> >
> >
> >
> >
> >>I know it has to be possible, to write a rule that will look for
> >>something...  such as...
> >>
> >>alert tcp any any -> $HOME_NET any (msg:"ETCPASSWD"; flags:A+; content:
> >>"/etc/passwd"; sid:1000004;)
> >>
> >>I wrote that rule to look for the string "/etc/passwd" in traffic,
> >>
> >>
> >however,
> >
> >
> >>is there a way I can make it NOT look in email?  like if I define my
SMTP
> >>servers in snort.conf and then write like
> >>
> >>alert tcp any any -> $HOME_NET !$SMTP_SERVERS any ....
> >>
> >>or something like that?
> >>
> >>Joel Esler
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.net email is sponsored by: ObjectStore.
> >>If flattening out C++ or Java code to make your application fit in a
> >>relational database is painful, don't do it! Check out ObjectStore.
> >>Now part of Progress Software. http://www.objectstore.net/sourceforge
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>
> >
> >
> >-------------------------------------------------------
> >This SF.net email is sponsored by: ObjectStore.
> >If flattening out C++ or Java code to make your application fit in a
> >relational database is painful, don't do it! Check out ObjectStore.
> >Now part of Progress Software. http://www.objectstore.net/sourceforge
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> >
>
> -- 
> "The trouble with doing something right the first time
>  is that nobody appreciates how difficult it was."
>
> -- Dale L. Handy, P.E.
>    dale at ...1527...          (208) 552-5332 (work)          (208) 403-6424
(cell)
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: ObjectStore.
> If flattening out C++ or Java code to make your application fit in a
> relational database is painful, don't do it! Check out ObjectStore.
> Now part of Progress Software. http://www.objectstore.net/sourceforge
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list