[Snort-users] Snort rule question

Brian bmc at ...950...
Thu Jun 26 11:03:09 EDT 2003


On Thu, Jun 26, 2003 at 06:37:06AM -0600, James Lay wrote:
> So ok....trying to catch those naughty spammers using:
> 
> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)
> 
> Now the above rule works.  I originally had:
> 
> alert tcp $EXTERNAL_NET any <- $SMTP_SERVERS 25 (msg:"Open Mail Relay Attempt"; content:"Relay access denied"; classtype:mail-abuse; sid:1000001; rev:1;)

You shouldn't use <- anymore.  It has been depriciated.  You should
rewrite your rules.

-b




More information about the Snort-users mailing list