[Snort-users] smtp preprocessor buffers and content modifiers

Eoin Miller eoin.miller at ...14586...
Wed Jun 8 13:46:59 EDT 2011


Reading through the Snort user guides and was wondering about the 
smtp_preprocessors various buffers and why they cannot be used as a 
content modifier much like http_* options? This could be helpful with 
writing signatures. It looks like the smtp_preprocessor currently 
creates/inspects certain things and checks them for length or the 
content of them. If people could use things like:

smtp_command_line
smtp_header_line
smtp_response_line
smtp_cmds

Not sure if smtp_response_line contains the "response code" and the 
"response code parameter" as they are known when you parse SMTP traffic 
with say wireshark. I would be cool to be able to have these though:

smtp_response_code
smtp_response_parameter

I was wondering if these or something like them even already existed? 
There appears to be some crossover between the http and smtp inspect 
preprocessors with use of the file_data content modifier. It would seem 
weird to not have the smtp buffers available for checking with rules 
when the http ones are?

-- Eoin





More information about the Snort-users mailing list