[Snort-users] Capture Spam mail traffic using snort

Jason security at ...5028...
Tue Mar 29 21:59:46 EST 2005


if those systems are in your network you could try a threshold rule


alert tcp !$SMTP_SERVERS any -> any 25 (msg"possible spammer"; 
content:"rcpt to\:"; nocase; flow:to_server, established; threshold:type 
both, track by_src, count 10, seconds 60; sid:1000000; rev:1;)

That rule should alert on any system that sends 10 mails in 60 seconds 
except those defined as SMTP_SERVERS.

lokesh.khanna at ...13040... wrote:
> 
> 
> Hi
> 
> I am using snort on Redhat box.
> 
> Is it possible to capture IP addresses using snort which are sending 
> Spam mails. If yes, how can I get signature?
> 
>  
> 
> Cordially,
> 
> Lokesh
> 




More information about the Snort-users mailing list