[Snort-users] Snort rule question
erek at ...950...
Thu Jun 26 06:32:41 EDT 2003
On Thu, 26 Jun 2003, James Lay wrote:
> So ok....trying to catch those naughty spammers using:
> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
> Now the above rule works. I originally had:
> alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
> And it did not work. Any reason the two aren't equivalent?
Well logically they are....
The <- operator never really worked and was removed from the code. What
version of Snort are you running? Recent versions should have said that
the <- was invalid.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users