[Snort-sigs] rule with traffic in both directions

hans rosa.schwein at ...2991...
Sat Apr 23 14:08:44 EDT 2005


hi all 

i have written a rule, which alerts, if the rset-command
occours in smtp-stream to the server. see below: 

tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RSET"; flow:to_server,established; content:"rset"; nocase; pcre:"/^rset/smi"; classtype:attempted-recon; sid:050313; rev:1; ) 

now i would like to modify this. it should only fire, if in the
traffic some packets bevor, in direction from server to client
the following text "Greylisting in action" as part 
of the stream can be found. 

is it possible to realise this with snort ? 

as i am not so familiar with writing rules 
i would be appreciated for any help 

best regards 
hans 

-- 





More information about the Snort-sigs mailing list