[Snort-sigs] Yahoo mail updates

Adrian Marsden amarsden at ...2045...
Thu Jul 1 15:06:02 EDT 2004


If you block http://login.yahoo.com/ with a web filter then these rules are unnecessary. They can't get there in the first place. I know that in all environments this isn't feasible but where it is it is easier than chasing after the offender after they infect a network with something.
 
Matt: As a note... I'm not picking on you.... You are doing good work.... I just prefer using technology to prevent things if it is acceptable in the environment. I know I spent ages trying to stop people from getting to personal email before I found the "key" places to block. I'm putting this in there for the benefit of those who might think that because the IP's of the big mail providers mail servers change so often and spread a range that would be unacceptable to block that they think they can't. I have learned to look for the "choke points" - those places that the user _must_ go through and don't change their FQDN.

	-----Original Message----- 
	From: Matthew Jonkman [mailto:matt at ...2436...] 
	Sent: Thu 7/1/2004 5:44 PM 
	To: snort-sigs mailinglist 
	Cc: 
	Subject: [Snort-sigs] Yahoo mail updates
	
	

	Fixed a couple of the Yahoo mail rules. Simplified and added uricontent,
	they're more reliable now.
	
	Also added one to get the yahoo mail login. Comments welcome. They're on
	bleedingsnort.com.
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Inbox
	View"; uricontent:"/ym/ShowFolder?rb=Inbox"; nocase;
	flow:to_server,established; classtype: policy-violation; sid:2000041;
	rev:5;)
	
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message
	View"; uricontent:"/ym/ShowLetter?MsgId"; nocase;
	flow:to_server,established; classtype: policy-violation; sid:2000042;
	rev:5;)
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message
	Compose Open"; uricontent:"/ym/Compose?"; nocase;
	flow:to_server,established; classtype: policy-violation; sid:2000043;
	rev:5;)
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message
	Send"; content:"POST /ym/Compose?"; nocase; flow:to_server,established;
	classtype: policy-violation; sid:2000044; rev:4;)
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message
	Send Info Capture"; content:"crumb="; nocase; content:"Subject=";
	nocase; flow:to_server,established; classtype: policy-violation;
	sid:2000045; rev:5;)
	
	alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Login";
	uricontent:"/ym/login?.rand="; nocase; flow:to_server,established;
	classtype: policy-violation; sid:2000341; rev:1;)
	
	Matt
	
	
	-------------------------------------------------------
	This SF.Net email sponsored by Black Hat Briefings & Training.
	Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
	digital self defense, top technical experts, no vendor pitches,
	unmatched networking opportunities. Visit www.blackhat.com
	_______________________________________________
	Snort-sigs mailing list
	Snort-sigs at lists.sourceforge.net
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
	



More information about the Snort-sigs mailing list