[Snort-users] Snort Rule to capture outbound email traffic

Pennell, Ronald B. rpennell at ...13261...
Tue Jun 21 12:04:20 EDT 2005


I have the following snort rule setup to capture all outbound email
(smtp) traffic, but, yet I have not seen any traffic.

 

I figured that I should see an entry for each mail msg that is going
outbound from my organization.

 

alert tcp $SMTP_SERVERS any -> any 25

( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server; content:
"MAIL FROM"; nocase; classtype: misc-activity;)

 

This is setup as a "local rule" and pushed to all my sensors.

 

In the acid viewer I see the classtype but it doesn't contain any of the
outbound msgs.

 

Where am I going wrong?

 

Ron Pennell

rpennell at ...13261...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050621/21e57d8d/attachment.html>


More information about the Snort-users mailing list