[Snort-sigs] rule with traffic in both directions
rosa.schwein at ...2991...
Sat Apr 23 14:08:44 EDT 2005
i have written a rule, which alerts, if the rset-command
occours in smtp-stream to the server. see below:
tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RSET"; flow:to_server,established; content:"rset"; nocase; pcre:"/^rset/smi"; classtype:attempted-recon; sid:050313; rev:1; )
now i would like to modify this. it should only fire, if in the
traffic some packets bevor, in direction from server to client
the following text "Greylisting in action" as part
of the stream can be found.
is it possible to realise this with snort ?
as i am not so familiar with writing rules
i would be appreciated for any help
More information about the Snort-sigs