Snort mailing list archives

Previous By Date Next
Previous By Thread Next

simple rule help--detect unauthorized servers

From: "John York" <YorkJ () brcc edu>
Date: Wed, 3 Mar 2004 11:17:24 -0500
I need to write a rule to detect unauthorized smtp and http servers on
my network.  I have several authorized servers listed in $SMTP_SERVERS
and $HTTP_SERVERS, and a $HOME that spans 10 class C networks.  What I'd
like to do is something like this:
alert ip ($HOME AND !$SMTP_SERVERS) 25 -> any any (...

or perhaps this:
var UNAUTH_SMTP [$HOME AND !$SMTP_SERVERS]
alert ip $UNAUTH_SMTP 25 -> any any (...

Is there an easy way to do this, or do I need to create an $UNAUTH_SMTP
manually?

Thanks
John

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: