Snort mailing list archives

Re: Multiple Content (not working?)

From: skill 's <skill2die4 () yahoo com>
Date: Wed, 15 May 2002 07:27:12 -0700 (PDT)

pass tcp $SMTPX any -> $MYSMTP 25

(content:"that () email com";nocase;content:"my () email com";nocase;)

alert tcp $SMTPX any -> $MYSMTP

25(content:"that () email com";nocase;resp:rst_all;)


I am novice to RULE-WRITING of snort ... so i might be
WRONG .. however , how can u define $SMTPX ??

should'nt your rule be:  

alert tcp any any -> $MY-SMTP 25 (content:"pig () squeaking com";nocase;)

__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Multiple Content (not working?) Carlos Kumbak (May 15)
- Re: Multiple Content (not working?) skill 's (May 15)
- Re: Multiple Content (not working?) Matt Kettler (May 15)
  - Re: Multiple Content (not working?) F.M. Taylor (May 15)
- <Possible follow-ups>
- Re: Multiple Content (not working?) Carlos Kumbak (May 16)
  - Re: Multiple Content (not working?) F.M. Taylor (May 17)