Snort mailing list archives
Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”.
From: "lists () packetmail net" <lists () packetmail net>
Date: Sat, 26 Jan 2013 15:44:49 -0600
On 01/26/2013 03:16 PM, Aisling Brennan wrote:
Can you help with syntax for a rule to detect email attachnents ?
Hi, Since you've not supplied much information around your request, including direction, here you go: alert tcp any any -> any 25 (msg:"LOCAL Electronic Message with an attachment"; flow:established,to_server; content:"Content-Disposition|3a|"; nocase; content:"name="; distance:0; within:15; classtype:policy-violation; sid:x; rev:1;) alert tcp any any -> any 587 (msg:"LOCAL Electronic Message with an attachment"; flow:established,to_server; content:"Content-Disposition|3a|"; nocase; content:"name="; distance:0; within:15; classtype:policy-violation; sid:x; rev:1;) Finally, I would strongly encourage you to spend some time reading the Snort manual as well as familiarizing yourself with tcpdump and other libpcap based solutions so we (collectively) don't have to continue to spoonfeed you solutions. This coupled with a basic understanding of RFC 822, RFC 2821, RFC 2045, RFC 2046, RFC 2047, RFC 2048, and RFC 2049 will really go far with your own personal growth around this subject. If you could be more verbose in your request and goals the community may be able to provide a better tool set since you seem focused on electronic messages and detection of respective facets. Cheers, best wishes, and I hoped this helped. - Nathan “Self-education is, I firmly believe, the only kind of education there is.” Isaac Asimov ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Aisling Brennan (Jan 18)
- Re: [Snort-sigs] Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Balasubramaniam Natarajan (Jan 19)
- Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Aisling Brennan (Jan 26)
- Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. lists () packetmail net (Jan 26)
- Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Ned Moran (Jan 26)
- Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. waldo kitty (Jan 26)
- Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Aisling Brennan (Jan 26)
- Re: [Snort-sigs] Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”. Balasubramaniam Natarajan (Jan 19)