[Snort-sigs] Yahoo mail updates

Matthew Watchinski mwatchinski at ...435...
Wed Jul 7 14:57:07 EDT 2004


Some comments inline

Matthew Jonkman wrote:

> Fixed a couple of the Yahoo mail rules. Simplified and added 
> uricontent, they're more reliable now.
>
> Also added one to get the yahoo mail login. Comments welcome. They're 
> on bleedingsnort.com.
>
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Inbox 
> View"; uricontent:"/ym/ShowFolder?rb=Inbox"; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000041; 
> rev:5;)

I'm assuming all the following commands can be executed using a POST or 
GET HTTP method, since that is normally the standard way web apps work 
these days.  With that assumption I'd refactor your rules in the 
following way to catch more things.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Yahoo 
Mail Inbox View"; uricontent:"/ym/ShowFolder; nocase; 
content"rb=Inbox""; nocase; flow:to_server,established; classtype: 
policy-violation; sid:2000041; rev:5;)

This is a slight change. For the following reasons.
1. rb=Inbox is most like not positionally dependent.  ie the web request 
could be.
GET /ym/ShowFolder?foo=bar&rb=Inbox

The original rule wouldn't fire on that.

Also by moving rb=Inbox to it's own content match you can use one rule 
for both POST and GET requests.

IE

POST /ym/ShowFolder
<header crap>

rb=Inbox

will match and so will

GET /ym/Showfolder?rb=Inbox


>
>
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
> Message View"; uricontent:"/ym/ShowLetter?MsgId"; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000042; 
> rev:5;)
>
Same as above.....  Also use variables :)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Yahoo 
Mail Message View"; uricontent:"/ym/ShowLetter"; nocase content:"MsgId"; 
nocase; flow:to_server,established; classtype: policy-violation; 
sid:2000042; rev:5;)

> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
> Message Compose Open"; uricontent:"/ym/Compose?"; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000043; 
> rev:5;)
>
No need for the "?" in most, if not all situations.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Yahoo 
Mail Message Compose Open"; uricontent:"/ym/Compose"; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000043; 
rev:5;)

> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
> Message Send"; content:"POST /ym/Compose?"; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000044; 
> rev:4;)
>
No need for "POST" uricontent does both.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Message 
Send"; uricontent:"/ym/Compose"; nocase; flow:to_server,established; 
classtype: policy-violation; sid:2000044; rev:4;)

> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
> Message Send Info Capture"; content:"crumb="; nocase; 
> content:"Subject="; nocase; flow:to_server,established; classtype: 
> policy-violation; sid:2000045; rev:5;)


Not sure what this rule does without a traffic capture.  Probably want 
to find some more things to anchor on.  Is there an associated URI with 
this?  Also use $EXTERNAL_NET

>
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
> Login"; uricontent:"/ym/login?.rand="; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000341; 
> rev:1;)
>
Same as the first two.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Login"; 
uricontent:"/ym/login"; nocase; content".rand="; nocase; 
flow:to_server,established; classtype: policy-violation; sid:2000341; 
rev:1;)

is the "." next to rand suppose to be here?

Also normal convention is to place the "flow" keyword directly after the 
"msg" keyword.

Cheers,
-matt

> Matt
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list