I am trying to raise an alert when someone is setting up a connection to PORT 25 (tcp), whatever source or destination. For this i came up with this simple rule:
alert tcp any any -> any 25 (msg:"Email sent"; sid:10001337007;)
From a Windows client I tried scanning for open ports on the server running SNORT and this raises the following alert as expected:
Jan 19 23:23:52 HSOC01 snort[7678]: [1:1411402415:0] Email sent {TCP} 192.168.0.134:50848 -> 192.168.0.26:25
However, when scanning for open ports (from the same Windows client) to, lets say, a domain controller, no alert is being raised.
Also, opening a connection to a mail server on port 25 does not trigger anything.
Could someone please explain what is going on?