Re: Capturing Email Traffic

[Seth Hall <seth () icir org>]

On Aug 29, 2012, at 11:36 AM, Giles Coochey <giles () coochey net> wrote:

> As Lars says - (POP or SMTP) will just identify traffic on ports 25 and 110, in order to do further you need protocol 
> inspection of all traffic. Running snort over a RSPAN port of your internet VLAN might be able to perform this kind 
> of inspection for you... you would probably have to write your own snort rule for this.
> http://www.snort.org


Alternately, Bro will create an smtp.log out of the box where it not only finds SMTP on any port, but it logs a number 
of attributes of email being sent.  http://www.bro-ids.org

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe