[Snort-users] Snort rule question

Erek Adams erek at ...950...
Thu Jun 26 06:32:41 EDT 2003


On Thu, 26 Jun 2003, James Lay wrote:

> So ok....trying to catch those naughty spammers using:
>
> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
>
> Now the above rule works.  I originally had:
>
> alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
>
> And it did not work.  Any reason the two aren't equivalent?

Well logically they are....

The <- operator never really worked and was removed from the code.  What
version of Snort are you running?  Recent versions should have said that
the <- was invalid.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list