Snort email rule to alert about any email from a specific userRule to move message from specific sender to a...

Why one should not leave fingerprints on bulbs and plugs?

Do these spellcasting foci from Xanathar's Guide to Everything have to be held in a hand?

Employee lack of ownership

Does Mathematica reuse previous computations?

Brexit - No Deal Rejection

How could a scammer know the apps on my phone / iTunes account?

How to read the value of this capacitor?

What approach do we need to follow for projects without a test environment?

Do I need to be arrogant to get ahead?

What are substitutions for coconut in curry?

How can I track script which gives me "command not found" right after the login?

Who is flying the vertibirds?

My Graph Theory Students

Examples of the Pigeonhole Principle

Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?

Why do passenger jet manufacturers design their planes with stall prevention systems?

SOQL: Populate a Literal List in WHERE IN Clause

Identifying the interval from A♭ to D♯

A Cautionary Suggestion

Define, (actually define) the "stability" and "energy" of a compound

Why do Australian milk farmers need to protest supermarkets' milk price?

Unexpected result from ArcLength

PTIJ: Who should I vote for? (21st Knesset Edition)

How to simplify this time periods definition interface?



Snort email rule to alert about any email from a specific user


Rule to move message from specific sender to a folder sends wrong incoming messages to folderUse AND operator for email addresses in MS Outlook 2010 filtering ruleSnort 2.9.6 doesn't alert with VRT ruleset but with ETOpenSend bulk emails upon receiving an email from a specific address in Outlook or ThunderbirdAlert on sending email with Outlook 365Create Outlook rule which runs AFTER move mail to specific folderSnort installed on Ubuntu not sending alerts to syslogOutlook email sending specific internal user to spamboxOutlook 2016 alert/reminder if I do not receive an e-mail from a certain e-mail address for 24 hoursOutlook 365: Rule to check if a specific user is missing (and then forward the email to them)













1















I am new to snort rules and need a rule that will alert any email from a specific user.. For example:



alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)


This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.










share|improve this question
















bumped to the homepage by Community 13 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    1















    I am new to snort rules and need a rule that will alert any email from a specific user.. For example:



    alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)


    This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.










    share|improve this question
















    bumped to the homepage by Community 13 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      1












      1








      1








      I am new to snort rules and need a rule that will alert any email from a specific user.. For example:



      alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)


      This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.










      share|improve this question
















      I am new to snort rules and need a rule that will alert any email from a specific user.. For example:



      alert tcp any any -> any 25 (msg:"Target Email Detected"; content:"email@thatemail.com"; fast_pattern:only; nocase; classtype: Target Email Detected ;sid:12345 ;)


      This rule as of now will sniff it if it is in the content, but mail from the email above is not alerted.







      email snort






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 21 '11 at 0:49









      studiohack

      11.3k1880114




      11.3k1880114










      asked Oct 18 '11 at 14:55









      ThatGuyThatGuy

      62




      62





      bumped to the homepage by Community 13 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 13 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Your rule looks good for the most part.
          I believe the problem has to do with your sid mapping / classtype.
          If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.



          RE: Comment
          The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.






          share|improve this answer


























          • I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

            – ThatGuy
            Oct 18 '11 at 15:30











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f347880%2fsnort-email-rule-to-alert-about-any-email-from-a-specific-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Your rule looks good for the most part.
          I believe the problem has to do with your sid mapping / classtype.
          If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.



          RE: Comment
          The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.






          share|improve this answer


























          • I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

            – ThatGuy
            Oct 18 '11 at 15:30
















          0














          Your rule looks good for the most part.
          I believe the problem has to do with your sid mapping / classtype.
          If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.



          RE: Comment
          The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.






          share|improve this answer


























          • I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

            – ThatGuy
            Oct 18 '11 at 15:30














          0












          0








          0







          Your rule looks good for the most part.
          I believe the problem has to do with your sid mapping / classtype.
          If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.



          RE: Comment
          The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.






          share|improve this answer















          Your rule looks good for the most part.
          I believe the problem has to do with your sid mapping / classtype.
          If you define a new classtype as you have done there are additional configuration options that need to be set - in this case it is much easier to recycle something existing. I would suggest using a classtype of policy-violation.



          RE: Comment
          The content field searches the entire body of the packet it sees. It shouldn't be a PCRE issue. You might want to look at assembling the stream. It might be that the string you are searching for is being broken between packets. Try firing up Wireshark and capturing the exact packets you want.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Oct 18 '11 at 15:45

























          answered Oct 18 '11 at 15:16









          Tim BrighamTim Brigham

          1,039614




          1,039614













          • I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

            – ThatGuy
            Oct 18 '11 at 15:30



















          • I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

            – ThatGuy
            Oct 18 '11 at 15:30

















          I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

          – ThatGuy
          Oct 18 '11 at 15:30





          I created the custom classtype and it works ok, I feel its something with it not capturing mail headers right or something, would a pcre be needed?

          – ThatGuy
          Oct 18 '11 at 15:30


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f347880%2fsnort-email-rule-to-alert-about-any-email-from-a-specific-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

          Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

          VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...