[Snort-users] Snort Rule to capture outbound email traffic

Frank Knobbe frank at ...9761...
Tue Jun 21 12:35:34 EDT 2005


On Tue, 2005-06-21 at 14:59 -0400, Pennell, Ronald B. wrote:

>                 alert tcp $SMTP_SERVERS any -> any 25
>                                    
>                                    
>     ( sid: 1000004; rev: 6; msg: "outgoing SMTP"; flow: to_server;
>        content: "MAIL FROM"; nocase; classtype: misc-activity;)
>                                    
>                                    
> In the acid viewer I see the classtype but it doesn’t contain any of
> the outbound msgs.

> Where am I going wrong?

You are using the flow statement wrong. Check for existing sessions that
go to the server. Use: " flow:established,to_server; "

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050621/9b9d03ec/attachment.sig>


More information about the Snort-users mailing list