[Snort-users] new to snort
mkettler at ...4108...
Mon Feb 7 10:27:17 EST 2005
Ahh, good point, I missed the "mail" part of the original question..
You probably want flags:S+ as well, unless you want to log every packet in
the mail transfer, and not just the initial connection request.
At 12:13 PM 2/7/2005, Leon Ward wrote:
>I think you may want to specify a destination port of 25 there as well
>(for SMTP outbound).
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"LOCAL traffic from
>home to external";)
>On Mon, 2005-02-07 at 11:25 -0500, Matt Kettler wrote:
> > At 10:27 AM 2/7/2005, Jürgen Schinker wrote:
> > >can somebody write me a rule to detect simple mail Traffic from
> HOME_NET ->
> > >EXTERNAL_NET?
> > alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL traffic from home
> > to external";)
More information about the Snort-users