Re: Could you send me on a signature to capture all emails that are sent to a domain, for example “@tnt.com”.

[waldo kitty <wkitty42 () windstream net>]

On 1/26/2013 16:38, Ned Moran wrote:
> send an email to yourself in a lab environment. record the pcaps. write and test
> a rule based on those pcaps.

for that matter, one can also look at the sources for existing emails and note 
the headers that indicate files that are embedded in the post ;)

> youll learn more doing this yourself.

definitely agree there... some of these requests lately seem to almost be 
homework type assignments :?

> On 1/26/13 4:16 PM, Aisling Brennan wrote:
> > Hi there,
> >
> > This worked fine.
> >
> > Can you help with syntax for a rule to detect email attachnents ?
> >
> > Tks
> >
> > Sent from my iPhone
> >
> > On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan<bala150985 () gmail com>  wrote:
> >
> > > On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan<aislingbrennan21 () gmail com>  wrote:
> > >
> > > Two points
> > >
> > > 1. Please don't convey the entire message using the Subject :-O
> > >
> > > 2.  Try this signature
> > >
> > > alert tcp $HOME_NET any ->  $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com domain"; flow:to_server,established; 
> > > content:"rcpt to|3a|"; nocase; content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!