[Snort-users] new to snort

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Tue Feb 8 01:51:20 EST 2005


--On 07 February 2005 16:27 +0100 Jürgen Schinker 
<ba1020 at ...11989...> wrote:

> can somebody write me a rule to detect simple mail Traffic from HOME_NET
> -> EXTERNAL_NET?

Assuming you just mean SMTP by 'simple mail traffic':

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"SMTP detected"; 
flow:established; sid:3000001;)

should do the job.

Remove 'flow:established' if you want to detect SMTP scans as well as 
successfully-established connections.

> thanks
> Jürgen

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list