[Snort-users] RE: [Snort-sigs] capture email

Snort Snort at ...7941...
Tue Nov 4 06:21:12 EST 2003

Well it depends on how much control you have on your network plus how you want to capture it. My thought is to capture the packets/ trigger an alert when a user use the web based e-mail service and to have the e-mail server send a copy of the e-mails being sent to the teacher to another e-mail box for analysis/research. I am kind of lost though, what are you trying to accomplish? Are you trying to just capture e-mails, setup ids to alert you when a specified email address is received by your server, or find out which student and from where is sending these e-mails? Most of this you really don't need ids, just email server logging and a copy of the e-mails, then you can track back to the provider and have them look for which ip address it came from, who it is registered to, when they registered and from where. Etc etc. 


-----Original Message-----
From: Ricardo Londono [mailto:rlondono at ...10462...] 
Posted At: Monday, November 03, 2003 12:38 PM
Posted To: Snort
Conversation: [Snort-sigs] capture email
Subject: [Snort-sigs] capture email

I saw the following question in the archives and was wondering if this is possible?  I work for a school  district and we have a student sending threats via email to a teacher.  The student is using web-based email...

"Wouldn't it be nice to be able to capture an _entire SMTP session_ based on
a key word embedded somewhere in the SMTP message?  This could easily be
used to look for messages with a specific email address on them, with a
specific key word inside them, etc.  

Anyone want to write an SMTP protocol handler?"

I'm interested in capturing email from a specific email.

thanks for any help.

Ricardo Londoño

This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-users mailing list