Hi EE!
Could you help me to create Snort Rules to capture the whole emails content.
I have read this discussion: http://www.experts-exchang
If Snort can't capture email content, could you suggest for me another solution to capture email and don't need touch to mail server.
Thanks!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Using wireshark/tcpdump would be easiest, using filters. If you want to have copies of your emails and use microsofts exchange you can use "journaling" http://technet.microsoft.c
The reason snort is not the best place to do this is because while it can reassemble entire packet streams, it's output for them isn't as good as wireshark's reassembly output when an email spans more than a few packets.
-rich
Hi Mike, Rich!
Thanks for your responds.
I have another question from your comment. How can I use Wireshark to catch email content and outputing to mysql with the format like Snort and Base work together?
And the Wireshark can work properly with a 100MB bandwidth environment?
Thanks!
PS: @Rich: I don't want to do any action to mail servers.
Wireshark can keep up as long as your NIC and CPU can. Wireshark or tcpdump would not save to a database, they would dump to a pcap file. The Snort rules I stated in the question you linked to in your inital question are worth a shot, but large email bodies, and attachements are likely they won't be caught. There are "file carving" tools out there that can reassemble pcap dumps and get files out from a pcap, but not a snort packet capture.
http://sourceforge.net/pro
http://www.forensicswiki.o
-rich
Hi Rich!
Thanks to mention to NetworkMiner, I very like it.
I am on the way to read the email content from a pcap file with NetworkMiner.
Did you have any experiences to do this task before, please help me?
And what is your choice between Wireshark and tcpdump when using on a linux machine (Centos5.3)?
Thanks so much!
I think dsniff/Mailsnarf might do what you want... I don't have an test environment to test with, but it was quite popular http://books.google.com/bo
Hasn't been updated in a while but should still work: http://www.monkey.org/~dug
-rich
Business Accounts
Answer for Membership
by: MikeHolcombPosted on 2009-11-02 at 06:05:46ID: 25719337
Since Snort is not necessarily designed to capture all of your Email content (though it could), there are more efficient means of doing so.
Here's a great forum posting at snort.org on the very subject - https://forums.snort.org/f
Hope this helps...
Mike