[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] =?utf-8?q?Could_you_send_me_on_a_signature_to_captur?=
From: waldo kitty <wkitty42 () windstream ! net>
Date: 2013-01-26 22:42:59
Message-ID: 51045BF3.5090803 () windstream ! net
[Download RAW message or body]
On 1/26/2013 16:38, Ned Moran wrote:
> send an email to yourself in a lab environment. record the pcaps. write and test
> a rule based on those pcaps.
for that matter, one can also look at the sources for existing emails and note
the headers that indicate files that are embedded in the post ;)
> youll learn more doing this yourself.
definitely agree there... some of these requests lately seem to almost be
homework type assignments :?
> On 1/26/13 4:16 PM, Aisling Brennan wrote:
> > Hi there,
> >
> > This worked fine.
> >
> > Can you help with syntax for a rule to detect email attachnents ?
> >
> > Tks
> >
> > Sent from my iPhone
> >
> > On 19 Jan 2013, at 18:37, Balasubramaniam Natarajan<bala150985@gmail.com> wrote:
> >
> > >
> > > On Sat, Jan 19, 2013 at 1:30 AM, Aisling Brennan<aislingbrennan21@gmail.com> \
> > > wrote:
> > > Two points
> > >
> > > 1. Please don't convey the entire message using the Subject :-O
> > >
> > > 2. Try this signature
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Mail sent to at tnt dot com \
> > > domain"; flow:to_server,established; content:"rcpt to|3a|"; nocase; \
> > > content:"|40|tnt|2e|com"; within:800; sid:10000000; rev:1;)
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic