Home page logo

snort logo Snort mailing list archives

Re: Could you send me on a signature to captur e all emails that are sent to a domain, for example “ @tnt.com”.
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 26 Jan 2013 17:42:59 -0500

On 1/26/2013 16:38, Ned Moran wrote:
send an email to yourself in a lab environment. record the pcaps. write and test
a rule based on those pcaps.

for that matter, one can also look at the sources for existing emails and note 
the headers that indicate files that are embedded in the post ;)

youll learn more doing this yourself.

definitely agree there... some of these requests lately seem to almost be 
homework type assignments :?

On 1/26/13 4:16 PM, Aisling Brennan wrote:
Hi there,

This worked fine.

Can you help with syntax for a rule to detect email attachnents ?


Sent from my iPhone

On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan<bala150985 () gmail com>  wrote:

On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan<aislingbrennan21 () gmail com>  wrote:

Two points

1. Please don't convey the entire message using the Subject :-O

2.  Try this signature

alert tcp $HOME_NET any ->  $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com domain"; flow:to_server,established; 
content:"rcpt to|3a|"; nocase; content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)

Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]