0

I am trying to raise an alert when someone is setting up a connection to PORT 25 (tcp), whatever source or destination. For this i came up with this simple rule:

alert tcp any any -> any 25 (msg:"Email sent"; sid:10001337007;)

From a Windows client I tried scanning for open ports on the server running SNORT and this raises the following alert as expected:

Jan 19 23:23:52 HSOC01 snort[7678]: [1:1411402415:0] Email sent {TCP} 192.168.0.134:50848 -> 192.168.0.26:25

However, when scanning for open ports (from the same Windows client) to, lets say, a domain controller, no alert is being raised.

Also, opening a connection to a mail server on port 25 does not trigger anything.

Could someone please explain what is going on?

Tommy
  • 21
  • 1
  • Forgot to mention, all servers are in the same subnet. Snort is running with ANY (both home and external). Tried specifying the subnet as home but same result. –  Jan 19 '15 at 22:29
  • If you run a packet capture on the Snort box, can you see the traffic you generated to the non-Snort destinations? If not, then your problem is a networking one. – schroeder Feb 28 '15 at 19:14

1 Answers1

0

Unless Snort is in-line or is receiving traffic from a span/tap then it's not going to see the traffic that is not to/from the Snort box. If this doesn't help then tell us about your network topology and where Snort sits.

user1801810
  • 133
  • 5