|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [Snort-users] Can I make a rule to catch SMTP banners?
From: Jason Haar (Jason.Haar
trimble.co.nz)Date: Mon Nov 20 2000 - 16:54:50 CST
- Next message: Len Burns: "[Snort-users] CGI Null Byte Attack"
- Previous message: Chris Scheller: "Re: [Snort-users] Who's using Snort?"
- Next in thread: Martin Roesch: "Re: [Snort-users] Can I make a rule to catch SMTP banners?"
- Reply: Martin Roesch: "Re: [Snort-users] Can I make a rule to catch SMTP banners?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm wondering if we can use Snort for more than just IDS. I was looking at
something that made me think - "what kinds of mail servers does our mail
server connect to?".
Can I make a rule that matches on the first line returned from an outgoing
SMTP connection: e.g.
220 trimble.co.nz ESMTP Trimble Navigation New Zealand Ltd ESMTP
I thought something along the lines of:
alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
content: "220"; depth: 60;)
should match. However, that matches any SMTP packet containing 220 - not
just the first one of a session.
Is there any way to match on just the first occurance within a single TCP
session?
Thanks
-- CheersJason Haar
Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users
- Next message: Len Burns: "[Snort-users] CGI Null Byte Attack"
- Previous message: Chris Scheller: "Re: [Snort-users] Who's using Snort?"
- Next in thread: Martin Roesch: "Re: [Snort-users] Can I make a rule to catch SMTP banners?"
- Reply: Martin Roesch: "Re: [Snort-users] Can I make a rule to catch SMTP banners?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]