Snort mailing list archives
RE: How can I view the packet payload if the packetis SMTP
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 11 Dec 2002 10:31:11 -0600
On Wed, 2002-12-11 at 10:25, Miller, Eoin wrote:
Actually its quite possible using ettercap (http://ettercap.sourceforge.net) there is a plugin that comes with this program by default called H20_dwarf and it logs all pop/smtp activity, decoded, to a log file, its pretty sweet, plus it let you do it on a switched network.
Yeah, there are several programs out there that log SMTP traffic. Mailsnarf comes to mind. They all require you to sniff and feed the program though. Or are you saying that Ettercap can read in data from Snort logs? (not tcpdump). It shouldn't be too hard to write a shell script that parses the Snort log file, grabs the hex values out and writes it as ASCII to a file (and then maybe change the To: header and re-insert it into your MTA of choice). Would be nice having as a plugin though. Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: How can I view the packet payload if the packetis SMTP Miller, Eoin (Dec 11)
- RE: How can I view the packet payload if the packetis SMTP Frank Knobbe (Dec 11)