'Re: [Snort-sigs] =?windows-1252?q?Could_you_send_me_on_a_signature_to?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] =?windows-1252?q?Could_you_send_me_on_a_signature_to?=
From:       Ned Moran <ned () mysterymachine ! info>
Date:       2013-01-26 21:38:58
Message-ID: 51044CF2.1010206 () mysterymachine ! info
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


send an email to yourself in a lab environment. record the pcaps. write
and test a rule based on those pcaps. youll learn more doing this yourself.

-ned

On 1/26/13 4:16 PM, Aisling Brennan wrote:
> Hi there,
> 
> This worked fine. 
> 
> Can you help with syntax for a rule to detect email attachnents ? 
> 
> Tks 
> 
> Sent from my iPhone
> 
> On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan <bala150985@gmail.com> wrote:
> 
> > 
> > On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan <aislingbrennan21@gmail.com> \
> > wrote: 
> > Two points
> > 
> > 1. Please don't convey the entire message using the Subject :-O
> > 
> > 2.  Try this signature
> > 
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com \
> > domain"; flow:to_server,established; content:"rcpt to|3a|"; nocase; \
> > content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;) 
> > -- 
> > Regards,
> > Balasubramaniam Natarajan
> > www.blog.etutorshop.com
> 
> 
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!


[Attachment #5 (text/html)]

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">send an email to yourself in a lab
      environment. record the pcaps. write and test a rule based on
      those pcaps. youll learn more doing this yourself.<br>
      <br>
      -ned<br>
      <br>
      On 1/26/13 4:16 PM, Aisling Brennan wrote:<br>
    </div>
    <blockquote
      cite="mid:A90CBD28-9035-47B6-9681-28662089B4F2@gmail.com"
      type="cite">
      <pre wrap="">Hi there,

This worked fine. 

Can you help with syntax for a rule to detect email attachnents ? 

Tks 

Sent from my iPhone

On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan <a class="moz-txt-link-rfc2396E" \
href="mailto:bala150985@gmail.com">&lt;bala150985@gmail.com&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">

On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan <a class="moz-txt-link-rfc2396E" \
href="mailto:aislingbrennan21@gmail.com">&lt;aislingbrennan21@gmail.com&gt;</a> \
wrote:

Two points

1. Please don't convey the entire message using the Subject :-O

2.  Try this signature

alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com \
domain"; flow:to_server,established; content:"rcpt to|3a|"; nocase; \
content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)

-- 
Regards,
Balasubramaniam Natarajan
<a class="moz-txt-link-abbreviated" \
href="http://www.blog.etutorshop.com">www.blog.etutorshop.com</a> </pre>
      </blockquote>
      <pre wrap="">
</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">------------------------------------------------------------------------------
 Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
<a class="moz-txt-link-freetext" \
href="http://p.sf.net/sfu/learnnow-d2d">http://p.sf.net/sfu/learnnow-d2d</a></pre>  \
<br>  <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Snort-sigs mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a> \
<a class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a>
 <a class="moz-txt-link-freetext" \
href="http://www.snort.org">http://www.snort.org</a>


Please visit <a class="moz-txt-link-freetext" \
href="http://blog.snort.org">http://blog.snort.org</a> for the latest news about \
Snort!</pre>  </blockquote>
    <br>
  </body>
</html>



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic