[Snort-users] Capture Spam mail traffic using snort
security at ...5028...
Tue Mar 29 21:59:46 EST 2005
if those systems are in your network you could try a threshold rule
alert tcp !$SMTP_SERVERS any -> any 25 (msg"possible spammer";
content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type
both, track by_src, count 10, seconds 60; sid:1000000; rev:1;)
That rule should alert on any system that sends 10 mails in 60 seconds
except those defined as SMTP_SERVERS.
lokesh.khanna at ...13040... wrote:
> I am using snort on Redhat box.
> Is it possible to capture IP addresses using snort which are sending
> Spam mails. If yes, how can I get signature?
More information about the Snort-users