Re: [Snort-sigs] Not looking in Email

Actually, what you want is:

alert tcp any any <> !$SMTP_SERVERS 25 (msg:"ETCPASSWD"; flags:A+; content:"/etc/passwd"; sid:1000004;)

or:

alert tcp any any <> $HOME_NET !25 (msg:"ETCPASSWD"; flags:A+; content: "/etc/passwd"; sid:1000004;)

Of course, that won't stop it from looking in pop3 e-mail via port 110 or IMAP...

security people wrote:

>Use something like the following:

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dale@srv.net          (208) 552-5332 (work)          (208) 403-6424 (cell)




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. 
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek