Snort mailing list archives
RE: How can I view the packet payload if thepacketis SMTP
From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Wed, 11 Dec 2002 11:36:43 -0500
Nope it wont do it from snort alerts, but you could use this as a solution, since you have a time stamp of the snort alert you could then know where in the log of mail that's being generated by ettercap to look and since you know what word you are searching for its even easier. Just pointing it out as a tool to help get the job done. Eoin -----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Wednesday, December 11, 2002 11:31 AM To: Miller, Eoin Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] How can I view the packet payload if thepacketis SMTP On Wed, 2002-12-11 at 10:25, Miller, Eoin wrote:
Actually its quite possible using ettercap (http://ettercap.sourceforge.net) there is a plugin that comes with
this
program by default called H20_dwarf and it logs all pop/smtp activity, decoded, to a log file, its pretty sweet, plus it let you do it on a switched network.
Yeah, there are several programs out there that log SMTP traffic. Mailsnarf comes to mind. They all require you to sniff and feed the program though. Or are you saying that Ettercap can read in data from Snort logs? (not tcpdump). It shouldn't be too hard to write a shell script that parses the Snort log file, grabs the hex values out and writes it as ASCII to a file (and then maybe change the To: header and re-insert it into your MTA of choice). Would be nice having as a plugin though. Frank ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: How can I view the packet payload if thepacketis SMTP Miller, Eoin (Dec 11)