[Snort-sigs] SMTP rule "Access Denied for Mail Relay"

Joel Esler jesler at ...435...
Tue Dec 29 22:25:08 EST 2009

On Tue, Dec 29, 2009 at 06:37:08PM -0500, volga629 at ...3439... wrote:
>    Hello,
>    I added this alert to new smtp.rule
>    alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any
>    (msg:"Possible mail relay usage"; content:"Relaying denied";
>    flags:A+; classtype:trojan-activity; sid:1000001; rev:1;)
>    When I tested snort in verbose snort -v i see smtp traffic going through,
>    but no denied by snort.
>    I wonder what else need add to snort ? Mail server is deny mail relay
>    anyway, but i want the snort will do this job instead.

If I understand your request properly, you are trying to get Snort to deny traffic?  As in, using Snort in an IPS (inline) capacity?

Or are you simply trying to get Snort to alert on the traffic that your email server is sending?

Sorry for the confusion.

Joel Esler | 302-223-5974 | gtalk: jesler at ...435...

More information about the Snort-sigs mailing list