OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [Snort-users] Can I make a rule to catch SMTP banners?
From: Martin Roesch (roeschmd.prestige.net)
Date: Mon Nov 20 2000 - 19:57:55 CST

Try this:

alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
content: "220"; depth: 60; content: "SMTP";)

This will look for both the 220 and *SMTP in the packet. Also, if you're
using the latest from CVS you can use the new "regex" keyword from Fyodor to
allow single (?) and multiple (*) character wildcards in strings.

     -Marty

Jason Haar wrote:
>
> I'm wondering if we can use Snort for more than just IDS. I was looking at
> something that made me think - "what kinds of mail servers does our mail
> server connect to?".
>
> Can I make a rule that matches on the first line returned from an outgoing
> SMTP connection: e.g.
>
> 220 trimble.co.nz ESMTP Trimble Navigation New Zealand Ltd ESMTP
>
> I thought something along the lines of:
>
> alert TCP $EXTERNAL 25 -> $INTERNAL any (msg: "SMTP session"; flags: AP;
> content: "220"; depth: 60;)
>
> should match. However, that matches any SMTP packet containing 220 - not
> just the first one of a session.
>
> Is there any way to match on just the first occurance within a single TCP
> session?
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users 

-- 
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users