Snort mailing list archives
RE: Problem getting a snort rule to work
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Thu, 14 Apr 2005 09:34:31 -0400
You are missing the source port in your alerts. Try: Alert tcp $SMTP_NET any*à any 25 (msg:"outgoing SMTP";) Bruce _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Pennell, Ronald B. Sent: Thursday, April 14, 2005 8:59 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Problem getting a snort rule to work I'm extremely new to snort and have been trying to get a simple snort rule to work. I'm task with grabbing an alert for every email message that is going outbound from my organization. I've tried using the following local rule: Alert tcp $SMTP_NET --> any 25 Alert udp " " " Alert tcp $HOME_Net " " When I check the acid viewer, I see no traffic at all. Any help would be greatly appreciated. Ron Pennell rpennell () ida org
Current thread:
- Problem getting a snort rule to work Pennell, Ronald B. (Apr 14)
- <Possible follow-ups>
- RE: Problem getting a snort rule to work Briggs, Bruce (Apr 14)