Solved
- We want to analyze the SMTP traffic, but there are differences in the amount of traffic per port and application, on the other hand, understand why the filter is typified as ports 25+.
Rule details: Ports - Host-based email (ports 25+) >>> This shows more traffic than the application.
Rule details: Applications - Host-based email (POP3 / IMAP / SMTP)
The "Host-based email" rule shows "Ports 25+" because it includes multiple ports:
- POP3 (Ports 110,995)
- IMAP (Ports 143,993)
- SMTP (Ports 25,465)
There may be more that I've missed but the main point is that there are multiple ports it is classifying.
The "Windows file sharing" rule has a similar name and multiple port classification.
However, for this rule, it lists the ports under the name.
The "Host-based email" rule shows "Ports 25+" because it includes multiple ports:
- POP3 (Ports 110,995)
- IMAP (Ports 143,993)
- SMTP (Ports 25,465)
There may be more that I've missed but the main point is that there are multiple ports it is classifying.
The "Windows file sharing" rule has a similar name and multiple port classification.
However, for this rule, it lists the ports under the name.
