[Snort-sigs] SMTP rule "Access Denied for Mail Relay"

volga629 at ...3439... volga629 at ...3439...
Tue Dec 29 18:37:08 EST 2009



Hello,

I added this alert to new smtp.rule

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
(msg:"Possible mail relay usage"; content:"Relaying denied";
flags:A+; classtype:trojan-activity; sid:1000001; rev:1;)

When I tested snort in verbose snort -v i see smtp traffic going through, but no denied by snort.

I wonder what else need add to snort ? Mail server is deny mail relay anyway, but i want the snort will do this job instead.

Thank you in advance.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20091229/474338f7/attachment.html>


More information about the Snort-sigs mailing list