Snort mailing list archives
RE: Help with SMTP Rule
From: "Don" <Don () WeberOnTheWeb com>
Date: Mon, 25 Nov 2002 21:51:48 -0800
not sure what your trying to do exactly, but i'm doing something similar probably and heres what i have snort.conf var TRUSTED_SMTP [192.168.00/24,10.0.0.0/24] which is the ip blocks for home and for work. then as one of my include files i have include $RULE_PATH/MyEmail.rules MyEmail rules file contains the following # $Id: imail.rules,v 1.0.0.3 2002/10/31 15:00:00 Don Weber Exp $ # ---------------- # IMAIL RULES # ---------------- ## CHANGES # Rem'd out sid:2000010 (line 1) since not local and not a gateway show on same response lines, no need for 2 alerts. # created TRUSTED_SMTP VARIABLE to remedy alerts for legit users from home and from imgate system. alert tcp $HOME_NET 25 -> !$TRUSTED_SMTP any (msg:"Gateway"; flags: A+; content: "not a gateway"; classtype: misc-activity; sid:2000011; rev:1;) alert tcp $HOME_NET 25 -> !$TRUSTED_SMTP any (msg:"Peer"; flags: A+; content: "accepted for peer"; classtype: misc-activity; sid:2000012; rev:1;) you may have to taylor the content: to your email system, the one I use when an attempt to use my server as a gateway is made, the xx11 rule alerts, messages sent to non-existant users the accepted for peer is what is returned to the client, then after it processes the email my thought for you is to put the IP blocks that it is ok to send mail from into the trusted_smtp variable, then modify these rules to say alert tcp $HOME_NET 25 -> !$TRUSTED_SMTP any (msg:"mail from other network"; flags: A+; content: "mail from:"; classtype: misc-activity; sid:2000013; rev:1;) you can further mod this rule to log instead of alert. I've been playing alot with various smtp alerts and such, hit me off list if you like. don
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Brian Sent: Monday, November 25, 2002 5:41 PM To: Ricardo Londoño Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Help with SMTP Rule On Mon, Nov 25, 2002 at 12:04:14PM -0600, Ricardo Londoño wrote:Basically I need to write a rule that captures all SMTP traffic where the MAIL FROM is NOT a specific domain. I have come up with the following but I don't think it is work right. I'm capturing other misc traffic. I also think my problem lies in that I don't want to single out a specific user. So I need the rule to be flexible in that any user from any domain with the exception of the allowed domain will be logged. alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegalMail From"; \content:!"mail from|3a| @specificdomain.com"; depth: 22; \ classtype:misc-activity; nocase sid:1000005; rev:1;)Try this: alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal mail from"; \ content:"mail from|3a| "; nocase; content:!"@specificdomain.com"; \ within:100; classtype:misc-activity; nocase sid:1000005; rev:2;) -brian ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help with SMTP Rule Ricardo Londoño (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)
- Re: Help with SMTP Rule Ricardo Londoño (Nov 25)
- RE: Help with SMTP Rule Don (Nov 25)
- <Possible follow-ups>
- RE: Help with SMTP Rule Hicks, John (Nov 25)
- Re: Help with SMTP Rule Brian (Nov 25)