[Snort-sigs] Yahoo mail updates
matt at ...2436...
Thu Jul 1 16:09:05 EDT 2004
I agree with you on prevention. It's always the best bet.
These signatures come in handy in a lot of places though. Especially for
an organization like mine, where we watch a lot of small and large nets,
all with different policies and permissible practices, all with
different levels of technical competence, all with different levels of
risk, and many falling under several different federal regs.
I have some clients that allow webmail, but want to know when it's being
abused. So if we get say 100 yahoo mail sends from one person a day
we'll let the client know. Or for organizations where they haven't the
technology to block url's, or the willingness to do so, we watch it for
any use at all and they can counsel employees.
But the main reason we spent the time writing these is for historical
purposes. Say a company starts to suspect an employee is harassing
someone via webmail, or maybe releasing internal info to the press
anonymously. They can have us go back as far as we have ids data and
tell them exactly what this person has sent out via yahoo, Hotmail, etc.
And often we can alleviate or confirm their fears without having to have
any kind of ugly confrontation with the employee based on hearsay.
We had one incident not too long ago where we took a users entire log of
chat messages for 6 months where they discussed an entire crime
(stealing internal information to create their own firm) to a deposition
and forced a settlement. No trial, very reduced legal fees. No bad
press. It'd be doubtful you could get those logs into court (ie proving
what workstation they came from, who was on at the time, etc), but just
having that much information is enough to avoid the whole thing. They
knew they were had, and couldn't utter another word of denial.
So it's not always as black and white as allowing or not allowing chat
or webmail, etc.
IDS is a great tool, it's not just for security anymore. :)
Adrian Marsden wrote:
> If you block http://login.yahoo.com/ with a web filter then these rules are unnecessary. They can't get there in the first place. I know that in all environments this isn't feasible but where it is it is easier than chasing after the offender after they infect a network with something.
> Matt: As a note... I'm not picking on you.... You are doing good work.... I just prefer using technology to prevent things if it is acceptable in the environment. I know I spent ages trying to stop people from getting to personal email before I found the "key" places to block. I'm putting this in there for the benefit of those who might think that because the IP's of the big mail providers mail servers change so often and spread a range that would be unacceptable to block that they think they can't. I have learned to look for the "choke points" - those places that the user _must_ go through and don't change their FQDN.
More information about the Snort-sigs