[Snort-sigs] SMTP mail monitoring with Snort

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Mon Mar 18 12:42:45 EST 2002


Wouldn't it be nice to be able to capture an _entire SMTP session_ based on
a key word embedded somewhere in the SMTP message?  This could easily be
used to look for messages with a specific email address on them, with a
specific key word inside them, etc.  

Anyone want to write an SMTP protocol handler?  

I've done quite a bit with the existing Snort capabilities, but the main
problems all relate to reading the captured data out of the trace and having
all of the data you need when part or all of the header is missing.  Ever
tried to trace a TCP session with ethereal when the start of the session is
not in the trace?  (It does not work too hot.)

James





More information about the Snort-sigs mailing list