I would like to create a signature to look for SMTP "command mail from:<>". Is this the right regex statement to look for this traffic?
I usually use the hex equivalent of the space, but that's just personal preference as it makes it easier to read to me (and i don't inadvertently add random spaces where I don't want them).
Realize that [<>] is a character class and means "<" or ">" in that spot, so the regex you propose would match:
If you wanted to find:
mail from:<> (no value in between the braces) then the following: