[Snort-sigs] dropping traffic

Erek Adams erek at ...95...
Wed May 28 08:59:03 EDT 2003


On Wed, 28 May 2003, Esler, Joel  Contractor wrote:

> pass $SMTP_SERVERS any -> $EXTERNAL_NET any (msg:"Traffic dropper";
> content????????????????????????
>
> What would I write to be able to drop all traffic from the email server
> (filter it out basically)....

http://www.theadamsfamily.net/~erek/snort/ignore.txt

> or what could I write to trigger an IP?
> (both ways I am asking)....
>
> alert <IP here> any -> $HOME_NET (msg:"<IP here> connection event";
> content:"%20";)

Yes.  You could even remove the content to make it fire on any connection

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list