[Snort-users] new to snort

Matt Kettler mkettler at ...4108...
Mon Feb 7 10:27:17 EST 2005


Ahh, good point, I missed the "mail" part of the original question..

You probably want flags:S+  as well, unless you want to log every packet in 
the mail transfer, and not just the initial connection request.

At 12:13 PM 2/7/2005, Leon Ward wrote:
>I think you may want to specify a destination port of 25 there as well
>(for SMTP outbound).
>
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"LOCAL traffic from
>home to external";)
>
>-Leon
>
> >
>On Mon, 2005-02-07 at 11:25 -0500, Matt Kettler wrote:
> > At 10:27 AM 2/7/2005, Jürgen Schinker wrote:
> > >can somebody write me a rule to detect simple mail Traffic from 
> HOME_NET ->
> > >EXTERNAL_NET?
> >
> > alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL traffic from home
> > to external";)





More information about the Snort-users mailing list