Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMTP Rule

From: Martin Holste <mcholste () gmail com>
Date: Wed, 7 Sep 2011 08:15:05 -0500
You can do this with flowbits and two rules.  You use
"flowbits:set,SMTP.Flowbit" (the name of the flowbit doesn't matter as
long as it is unique).  Then you make a second rule which has the
other content match for the "TO" address which checks that the first
flowbit was set like this: "flowbits:isset,SMTP.Flowbit."  See the
Snort manual for details on flowbits, and have a look at the current
Snort ruleset for how they were used.

On Wed, Sep 7, 2011 at 4:59 AM, vmpc vmpc <packetstack () gmail com> wrote:

Hello,

I am having difficulty writing a rule.

To keep it simple, I will explain it this way.

Basically, I would like to create a rule that will check for the following
SMTP traffic pattern:

content: From:blah () blah com; content: RCPT.To:blah () blah net.

The problem is that in a SMTP session, the FROM and the RCPT are on separate
packets. I would have to look at two different packets in order to generate
an alert. I don't know if that is possible.

So ultimately, I would like to know if it is possible to write a rule which
will look at all packets in a session and if it matches the contents of the
rule, it generates an alert.

Thanks!
------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: