[Snort-sigs] rule with traffic in both directions

Brian bmc at ...95...
Mon Apr 25 07:45:34 EDT 2005


On Sat, Apr 23, 2005 at 11:08:05PM +0200, hans wrote:
> tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RSET";
> flow:to_server,established; content:"rset"; nocase;
> pcre:"/^rset/smi"; classtype:attempted-recon; sid:050313; rev:1; )
> 
> now i would like to modify this. it should only fire, if in the
> traffic some packets bevor, in direction from server to client
> the following text "Greylisting in action" as part 
> of the stream can be found. 


alert tcp $SMTP_SERVERS 25 -> EXTERNAL_NET (msg:"SMTP GREYLIST";
    flow:from_server,established; content:"Greylisting in action"; nocase;
    flowbits:set,smtp.greylist;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RSET";
    flow:to_server,established; flowbits:isset,smtp.greylist;
    content:"rset"; nocase; pcre:"/^rset/smi";)

Brian




More information about the Snort-sigs mailing list