[Snort-users] only alerts on incoming traffic.
jkv at ...8462...
Tue Feb 24 14:37:08 EST 2009
I'm having trouble getting snort to trigger rules on outgoing
connections, inbound connections works just fine.
For debugging this issue i have disabled all my normal rules and made a
few debug rules:
alert tcp any any -> 22.214.171.124 25 (msg:"DEBUG: SMTP INCOMMING";
alert tcp 126.96.36.199 any -> any 25 (msg:"DEBUG: SMTP OUTGOING";
(188.8.131.52 is my static ip, normally i use HOME_NET for this but
since i am debugging i have hardcoded the IP in the rules)
With these two rules i get snort alerts if i generate port 25 from a
remote server to my server - so far so good. But if i from my server
initiate a port 25 connections to some remote smtp server i dont get any
Anyone got any ideas about why this is happening?
More information about the Snort-users