Snort: Re: Could you send me on a signature to capture all emails that are sent to a domain, for exa mple “ () tnt com”

Snort mailing list archives

Re: Could you send me on a signature to capture all emails that are sent to a domain, for exa mple “ () tnt com”

From: Ned Moran <ned () mysterymachine info>
Date: Sat, 26 Jan 2013 16:38:58 -0500

send an email to yourself in a lab environment. record the pcaps. write
and test a rule based on those pcaps. youll learn more doing this yourself.

-ned

On 1/26/13 4:16 PM, Aisling Brennan wrote:

Hi there,

This worked fine. 

Can you help with syntax for a rule to detect email attachnents ? 

Tks 

Sent from my iPhone

On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan <bala150985 () gmail com> wrote:


On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan <aislingbrennan21 () gmail com> wrote:

Two points

1. Please don't convey the entire message using the Subject :-O

2.  Try this signature

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com domain"; flow:to_server,established; 
content:"rcpt to|3a|"; nocase; content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)

-- 
Regards,
Balasubramaniam Natarajan
www.blog.etutorshop.com



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

By Date By Thread

Current thread:

Could you send me on a signature to capture all emails that are sent to a domain, for example “ () tnt com” Aisling Brennan (Jan 18)
- Re: [Snort-sigs] Could you send me on a signature to capture all emails that are sent to a domain, for example “ () tnt com” Balasubramaniam Natarajan (Jan 19)
  - Re: Could you send me on a signature to captur e all emails that are sent to a domain, for example “ @tnt.com”. Aisling Brennan (Jan 26)
    - Re: Could you send me on a signature to captur e all emails that are sent to a domain, for example “ @tnt.com”. lists () packetmail net (Jan 26)
    - Re: Could you send me on a signature to capture all emails that are sent to a domain, for exa mple “ () tnt com” Ned Moran (Jan 26)
    - Re: Could you send me on a signature to captur e all emails that are sent to a domain, for example “ @tnt.com”. waldo kitty (Jan 26)