The above rules are demo things. There’re the real rules of SMTP below
alert smtp any any → any 25 (msg:“get smtp username”; \
flowbits: set, smtp_login;\
pcre:“/AUTH LOGIN\r\n([\w]+={0,2})\r\n([\w]+={0,2})\r\n/i, flow:username, flow:password”;noalert;\ sid:200010; gid:10001;)
alert smtp any 25 → any any (msg:“get smtp status”;\
flowbits: isset, smtp_login;priority:1;
flowbits: unset, smtp_login;
pcre:“/(235|535).*\r\n/, flow:status”;\
target:src_ip; sid:200019; gid:10001;)
and packets for test
smtp_test.pcapng (13.3 KB)
Thx for your help