Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How can I view the packet payload if thepacketis SMTP

From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Wed, 11 Dec 2002 11:36:43 -0500
Nope it wont do it from snort alerts, but you could use this as a
solution, since you have a time stamp of the snort alert you could then
know where in the log of mail that's being generated by ettercap to look
and since you know what word you are searching for its even easier. Just
pointing it out as a tool to help get the job done.

Eoin

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com] 
Sent: Wednesday, December 11, 2002 11:31 AM
To: Miller, Eoin
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] How can I view the packet payload if
thepacketis SMTP

On Wed, 2002-12-11 at 10:25, Miller, Eoin wrote:

Actually its quite possible using ettercap
(http://ettercap.sourceforge.net) there is a plugin that comes with

this

program by default called H20_dwarf and it logs all pop/smtp activity,
decoded, to a log file, its pretty sweet, plus it let you do it on a
switched network.


Yeah, there are several programs out there that log SMTP traffic.
Mailsnarf comes to mind. They all require you to sniff and feed the
program though. 

Or are you saying that Ettercap can read in data from Snort logs? (not
tcpdump).

It shouldn't be too hard to write a shell script that parses the Snort
log file, grabs the hex values out and writes it as ASCII to a file (and
then maybe change the To: header and re-insert it into your MTA of
choice). 

Would be nice having as a plugin though.

Frank



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: