[Snort-users] smtp preprocessor buffers and content modifiers
eoin.miller at ...14586...
Wed Jun 8 13:46:59 EDT 2011
Reading through the Snort user guides and was wondering about the
smtp_preprocessors various buffers and why they cannot be used as a
content modifier much like http_* options? This could be helpful with
writing signatures. It looks like the smtp_preprocessor currently
creates/inspects certain things and checks them for length or the
content of them. If people could use things like:
Not sure if smtp_response_line contains the "response code" and the
"response code parameter" as they are known when you parse SMTP traffic
with say wireshark. I would be cool to be able to have these though:
I was wondering if these or something like them even already existed?
There appears to be some crossover between the http and smtp inspect
preprocessors with use of the file_data content modifier. It would seem
weird to not have the smtp buffers available for checking with rules
when the http ones are?
More information about the Snort-users