[Snort-sigs] Yahoo mail updates

Matthew Jonkman matt at ...2436...
Thu Jul 1 14:45:04 EDT 2004


Fixed a couple of the Yahoo mail rules. Simplified and added uricontent, 
they're more reliable now.

Also added one to get the yahoo mail login. Comments welcome. They're on 
bleedingsnort.com.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Inbox 
View"; uricontent:"/ym/ShowFolder?rb=Inbox"; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000041; 
rev:5;)


alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message 
View"; uricontent:"/ym/ShowLetter?MsgId"; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000042; 
rev:5;)

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message 
Compose Open"; uricontent:"/ym/Compose?"; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000043; 
rev:5;)

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message 
Send"; content:"POST /ym/Compose?"; nocase; flow:to_server,established; 
classtype: policy-violation; sid:2000044; rev:4;)

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message 
Send Info Capture"; content:"crumb="; nocase; content:"Subject="; 
nocase; flow:to_server,established; classtype: policy-violation; 
sid:2000045; rev:5;)

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Login"; 
uricontent:"/ym/login?.rand="; nocase; flow:to_server,established; 
classtype: policy-violation; sid:2000341; rev:1;)

Matt




More information about the Snort-sigs mailing list