alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:10;)

Added 2008-01-31 18:48:10 UTC

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:10;)

Added 2008-01-31 18:48:10 UTC

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:9;)

Added 2007-03-12 18:11:47 UTC

added flow, thanks joel

-- MattJonkman - 12 Mar 2007

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; content:"mail from\:"; nocase; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:8;)

Added 2007-03-12 11:00:34 UTC

I added the content:"mail from\:"; nocase; in place of flags S,12. Hopefully this will make the sig more meaningful. It'll only trip is mail is actually passing or being reasonably attempted.

-- MattJonkman - 12 Mar 2007

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:7;)