Snort mailing list archives

RE: [Snort-sigs] capture email

From: "Snort" <Snort () intercept net>
Date: Tue, 4 Nov 2003 09:20:28 -0500

Well it depends on how much control you have on your network plus how you want to capture it. My thought is to capture 
the packets/ trigger an alert when a user use the web based e-mail service and to have the e-mail server send a copy of 
the e-mails being sent to the teacher to another e-mail box for analysis/research. I am kind of lost though, what are 
you trying to accomplish? Are you trying to just capture e-mails, setup ids to alert you when a specified email address 
is received by your server, or find out which student and from where is sending these e-mails? Most of this you really 
don't need ids, just email server logging and a copy of the e-mails, then you can track back to the provider and have 
them look for which ip address it came from, who it is registered to, when they registered and from where. Etc etc. 

Michael

-----Original Message-----
From: Ricardo Londono [mailto:rlondono () ccisd net] 
Posted At: Monday, November 03, 2003 12:38 PM
Posted To: Snort
Conversation: [Snort-sigs] capture email
Subject: [Snort-sigs] capture email

I saw the following question in the archives and was wondering if this is possible?  I work for a school  district and 
we have a student sending threats via email to a teacher.  The student is using web-based email...


***************************************************************
EMAIL FROM James...
"Wouldn't it be nice to be able to capture an _entire SMTP session_ based on
a key word embedded somewhere in the SMTP message?  This could easily be
used to look for messages with a specific email address on them, with a
specific key word inside them, etc.  

Anyone want to write an SMTP protocol handler?"
***************************************************************


I'm interested in capturing email from a specific email.

thanks for any help.

Ricardo Londoño




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: [Snort-sigs] capture email Snort (Nov 04)
- <Possible follow-ups>
- RE: [Snort-sigs] capture email Snort (Nov 04)
- RE: RE: [Snort-sigs] capture email Schmehl, Paul L (Nov 04)
- RE: RE: [Snort-sigs] capture email Ricardo Londono (Nov 05)