[Snort-users] Snort Rule to capture outbound email traffic

Pennell, Ronald B. rpennell at ...13261...
Tue Jun 21 12:04:20 EDT 2005

I have the following snort rule setup to capture all outbound email
(smtp) traffic, but, yet I have not seen any traffic.


I figured that I should see an entry for each mail msg that is going
outbound from my organization.


alert tcp $SMTP_SERVERS any -> any 25

( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server; content:
"MAIL FROM"; nocase; classtype: misc-activity;)


This is setup as a "local rule" and pushed to all my sensors.


In the acid viewer I see the classtype but it doesn't contain any of the
outbound msgs.


Where am I going wrong?


Ron Pennell

rpennell at ...13261...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050621/21e57d8d/attachment.html>

More information about the Snort-users mailing list