[Snort-users] Can I make a rule to catch SMTP banners?

Jason Haar Jason.Haar at ...294...
Mon Nov 20 17:54:50 EST 2000


I'm wondering if we can use Snort for more than just IDS. I was looking at
something that made me think - "what kinds of mail servers does our mail
server connect to?". 

Can I make a rule that matches on the first line returned from an outgoing
SMTP connection: e.g.

220 trimble.co.nz ESMTP Trimble Navigation New Zealand Ltd ESMTP

I thought something along the lines of:

alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
content: "220"; depth: 60;)

should match. However, that matches any SMTP packet containing 220 - not
just the first one of a session. 

Is there any way to match on just the first occurance within a single TCP
session?

Thanks

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417



More information about the Snort-users mailing list