[Snort-users] Can I make a rule to catch SMTP banners?
Jason.Haar at ...294...
Mon Nov 20 17:54:50 EST 2000
I'm wondering if we can use Snort for more than just IDS. I was looking at
something that made me think - "what kinds of mail servers does our mail
server connect to?".
Can I make a rule that matches on the first line returned from an outgoing
SMTP connection: e.g.
220 trimble.co.nz ESMTP Trimble Navigation New Zealand Ltd ESMTP
I thought something along the lines of:
alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
content: "220"; depth: 60;)
should match. However, that matches any SMTP packet containing 220 - not
just the first one of a session.
Is there any way to match on just the first occurance within a single TCP
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users