question:
1.when i use the rule alert smtp any any <> any any (msg:"smtp event"; sid:1000015; rev:10;).smtp event more than wireshark displayed.
2.Based the official document.i write the rule as alert imap any any <> any any (msg:"imap4 event_test"; sid:1000016; rev:10;),
but is not work.So i use two rules replace it.
alert tcp any any -> any 143 (msg:"imap4 to_server"; sid:1000016; rev:10;)
alert tcp any 143 -> any any (msg:"imap4 to_client"; sid:1000017; rev:10;)
is this a problem?
how to solve it?
3.Do you have some suggest for detect pop3?
i write two rules about the 110 port of pop3.
alert tcp any any -> any 110 (msg:"POP3 to_server"; sid:1000013; rev:4;)
alert tcp any 110 -> any any (msg:"POP3 to_client"; sid:1000014; rev:4;)
Thank u.I have to use the port specified by the POP3&IMAP protocol for detection first.
About the first question.
1.when i use the rule alert smtp any any <> any any (msg:"smtp event"; sid:1000015; rev:10;) .smtp event more than wireshark displayed.
I found the reason.The rule has led to an increase for events.
I delete the rules and solve the problem.
And i found a new problem.Some ftp event appeared when i detect POP3
@Andreas_Herz is there something similar for smtp not being supported too? I tried using ssmtp to send an email but it doesn’t seem to work (capturing the traffic with wireshark shows tcp traffic instead of smtp)-- still relatively new to this.
My rule:
alert smtp $HOME_NET any -> any any (msg:"Sensitive Data Leak";content:"Hello";flow:to_server;sid:15;rev:1;)
Do you have a pcap for that test?
Would be worth to remove the flow part for testing in the rule and also test alert ip instead of alert smtp to narrow down a potential issue.