Looking at creating a custom sig to count the SMTP traffic on port 25, both incoming and outgoing.
Need some hard numbers for the bean counters.
Have an IDS 4210 and I tried capturing our domain name using a bunch of methods. I got numbers, but they were all over the place. I just want the sig to fire an informational alert each time a SMTP message is sent or received on port 25.
Counters on our mail server won't due the trick, since bugs, spam, etc are blocked before they get there.
I want to see the raw numbers (count) of SMTP (port 25) traffic before any filtering, blocking, etc is done.
Any help would be appreciated.