[Snort-users] Snort rule question

James Lay slave_tothe_box at ...131...
Thu Jun 26 05:39:29 EDT 2003


So ok....trying to catch those naughty spammers using:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)

Now the above rule works.  I originally had:

alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)

And it did not work.  Any reason the two aren't equivalent?

Thanks!

James




More information about the Snort-users mailing list