Snort Analyser
First select your Wireshark trace:
Trace name: /log/email_two_attachments.zip
Snort Output
Click here for the Pcap file. The Snort output is:
alert.ids: [**] [1:9000002:1] SMTP connection detection [**] [Priority: 0] 01/05-21:41:38.628223 192.168.47.171:2826 -> 192.168.47.134:25 TCP TTL:128 TOS:0x0 ID:13587 IpLen:20 DgmLen:48 DF ******S* Seq: 0xB148456F Ack: 0x0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK |
Rules file
# Email rules alert tcp any any -> any 110 (flags:S;msg:"Pop-3 connection detection";sid:9000000;rev:1;) alert tcp any any -> any 143 (flags:S;msg:"IMAP connection detection";sid:9000001;rev:1;) alert tcp any any -> any 25 (flags:S;msg:"SMTP connection detection";sid:9000002;rev:1;)
Examples
You can use Snort as a stand-alone analyser using the "-r" option. The following are the traces that can be used in Snort:
- Trace with Hydra FTP crack/Bad Login: here Test.
- Trace with Hydra Telnet crack: here Test.
- Trace with Port Scan: here Test.
- Trace with SYN Flood (DoS): here Test.
- Trace with FIN Flood (DoS): here Test.
- Trace with PDF file: here Test.
- Trace with GIF file: here Test.
- Trace with PNG file: here Test.
- Trace with email attachments (MIME): here Test.
- Trace with email addresses: here Test.
- Trace with credit card details: here Test.
- Trace with DNS: here Test.
- Trace with Ping sweep: here Test.
- Trace with SNMP: here Test.
- Trace with ARP Spoof: here Test.
- Trace with Heartbleed: here Test.
- Teardrop DoS: here Test.
- Bittorrent: here Test.