Snort email rule to alert about any email from a specific userRule to move message from specific sender to a...
Why one should not leave fingerprints on bulbs and plugs?
Do these spellcasting foci from Xanathar's Guide to Everything have to be held in a hand?
Employee lack of ownership
Does Mathematica reuse previous computations?
Brexit - No Deal Rejection
How could a scammer know the apps on my phone / iTunes account?
How to read the value of this capacitor?
What approach do we need to follow for projects without a test environment?
Do I need to be arrogant to get ahead?
What are substitutions for coconut in curry?
How can I track script which gives me "command not found" right after the login?
Who is flying the vertibirds?
My Graph Theory Students
Examples of the Pigeonhole Principle
Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?
Why do passenger jet manufacturers design their planes with stall prevention systems?
SOQL: Populate a Literal List in WHERE IN Clause
Identifying the interval from A♭ to D♯
A Cautionary Suggestion
Define, (actually define) the "stability" and "energy" of a compound
Why do Australian milk farmers need to protest supermarkets' milk price?
Unexpected result from ArcLength
PTIJ: Who should I vote for? (21st Knesset Edition)
How to simplify this time periods definition interface?
Snort email rule to alert about any email from a specific user
Rule to move message from specific sender to a folder sends wrong incoming messages to folderUse AND operator for email addresses in MS Outlook 2010 filtering ruleSnort 2.9.6 doesn't alert with VRT ruleset but with ETOpenSend bulk emails upon receiving an email from a specific address in Outlook or ThunderbirdAlert on sending email with Outlook 365Create Outlook rule which runs AFTER move mail to specific folderSnort installed on Ubuntu not sending alerts to syslogOutlook email sending specific internal user to spamboxOutlook 2016 alert/reminder if I do not receive an e-mail from a certain e-mail address for 24 hoursOutlook 365: Rule to check if a specific user is missing (and then forward the email to them)
I am new to snort rules and need a rule that will alert any email from a specific user.. For example:
alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)
This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.
email snort
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
bumped to the homepage by Community♦ 13 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I am new to snort rules and need a rule that will alert any email from a specific user.. For example:
alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)
This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.
email snort
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
bumped to the homepage by Community♦ 13 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I am new to snort rules and need a rule that will alert any email from a specific user.. For example:
alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)
This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.
email snort
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
I am new to snort rules and need a rule that will alert any email from a specific user.. For example:
alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)
This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.
email snort
email snort
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
edited Oct 21 '11 at 0:49
studiohack♦
11.3k1880114
11.3k1880114
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
asked Oct 18 '11 at 14:55
ThatGuyThatGuy
62
62
bumped to the homepage by Community♦ 13 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 13 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Your rule looks good for the most part.
I believe the problem has to do with your sid mapping / classtype.
If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment
The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f347880%2fsnort-email-rule-to-alert-about-any-email-from-a-specific-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your rule looks good for the most part.
I believe the problem has to do with your sid mapping / classtype.
If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment
The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
add a comment |
Your rule looks good for the most part.
I believe the problem has to do with your sid mapping / classtype.
If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment
The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
add a comment |
Your rule looks good for the most part.
I believe the problem has to do with your sid mapping / classtype.
If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment
The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
Your rule looks good for the most part.
I believe the problem has to do with your sid mapping / classtype.
If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.
RE: Comment
The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
edited Oct 18 '11 at 15:45
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
answered Oct 18 '11 at 15:16
Tim BrighamTim Brigham
1,039614
1,039614
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
add a comment |
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?
– ThatGuy
Oct 18 '11 at 15:30
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f347880%2fsnort-email-rule-to-alert-about-any-email-from-a-specific-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
