[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] =?windows-1252?q?Could_you_send_me_on_a_signature_to?=
From: Ned Moran <ned () mysterymachine ! info>
Date: 2013-01-26 21:38:58
Message-ID: 51044CF2.1010206 () mysterymachine ! info
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
send an email to yourself in a lab environment. record the pcaps. write
and test a rule based on those pcaps. youll learn more doing this yourself.
-ned
On 1/26/13 4:16 PM, Aisling Brennan wrote:
> Hi there,
>
> This worked fine.
>
> Can you help with syntax for a rule to detect email attachnents ?
>
> Tks
>
> Sent from my iPhone
>
> On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan <bala150985@gmail.com> wrote:
>
> >
> > On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan <aislingbrennan21@gmail.com> \
> > wrote:
> > Two points
> >
> > 1. Please don't convey the entire message using the Subject :-O
> >
> > 2. Try this signature
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com \
> > domain"; flow:to_server,established; content:"rcpt to|3a|"; nocase; \
> > content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)
> > --
> > Regards,
> > Balasubramaniam Natarajan
> > www.blog.etutorshop.com
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">send an email to yourself in a lab
environment. record the pcaps. write and test a rule based on
those pcaps. youll learn more doing this yourself.<br>
<br>
-ned<br>
<br>
On 1/26/13 4:16 PM, Aisling Brennan wrote:<br>
</div>
<blockquote
cite="mid:A90CBD28-9035-47B6-9681-28662089B4F2@gmail.com"
type="cite">
<pre wrap="">Hi there,
This worked fine.
Can you help with syntax for a rule to detect email attachnents ?
Tks
Sent from my iPhone
On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan <a class="moz-txt-link-rfc2396E" \
href="mailto:bala150985@gmail.com"><bala150985@gmail.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan <a class="moz-txt-link-rfc2396E" \
href="mailto:aislingbrennan21@gmail.com"><aislingbrennan21@gmail.com></a> \
wrote:
Two points
1. Please don't convey the entire message using the Subject :-O
2. Try this signature
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com \
domain"; flow:to_server,established; content:"rcpt to|3a|"; nocase; \
content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)
--
Regards,
Balasubramaniam Natarajan
<a class="moz-txt-link-abbreviated" \
href="http://www.blog.etutorshop.com">www.blog.etutorshop.com</a> </pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
<a class="moz-txt-link-freetext" \
href="http://p.sf.net/sfu/learnnow-d2d">http://p.sf.net/sfu/learnnow-d2d</a></pre> \
<br> <fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Snort-sigs mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a> \
<a class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a>
<a class="moz-txt-link-freetext" \
href="http://www.snort.org">http://www.snort.org</a>
Please visit <a class="moz-txt-link-freetext" \
href="http://blog.snort.org">http://blog.snort.org</a> for the latest news about \
Snort!</pre> </blockquote>
<br>
</body>
</html>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic