I have the following snort rule setup to capture all outbound email
(smtp) traffic, but, yet I have not seen any traffic.


I figured that I should see an entry for each mail msg that is going
outbound from my organization.


alert tcp $SMTP_SERVERS any -> any 25

( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server; content:
"MAIL FROM"; nocase; classtype: misc-activity;)


This is setup as a "local rule" and pushed to all my sensors.


In the acid viewer I see the classtype but it doesn't contain any of the
outbound msgs.


Where am I going wrong?


Ron Pennell

rpennell at ...13261...

