[Snort-sigs] Yahoo mail updates
matt at ...2436...
Wed Jul 7 19:33:04 EDT 2004
Now we're talking. This is what I love about this list. :)
I'll get all of the updates posted shortly. A few answers below:
Matthew Watchinski wrote:
>> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail
>> Message Send Info Capture"; content:"crumb="; nocase;
>> content:"Subject="; nocase; flow:to_server,established; classtype:
>> policy-violation; sid:2000045; rev:5;)
> Not sure what this rule does without a traffic capture. Probably want
> to find some more things to anchor on. Is there an associated URI with
> this? Also use $EXTERNAL_NET
This one captures the text of the sent mail message. That's the original
motivation of a client of ours for writing the set of rules. They needed
to know what a user about to be canned was up to. It works pretty well.
The reason I made so many rules here was to allow us either track
logins, or catch email texts, or just see who was spending too much time
on yahoo mail. Using all of them at once is overkill. In fact, I may put
a few of them off by default in the bleeding rules, let people enable
the set they are interested in via oinkmaster.
> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Login";
> uricontent:"/ym/login"; nocase; content".rand="; nocase;
> flow:to_server,established; classtype: policy-violation; sid:2000341;
> is the "." next to rand suppose to be here?
Ya, it was unique in the traffic I was watching. However the rule is
hitting on a lot more than just the initial login. I plan to revisit
that when I get some time.
> Also normal convention is to place the "flow" keyword directly after the
> "msg" keyword.
Will do. :)
Thanks very much for your advice. As I said, I'll get these updated and
More information about the Snort-sigs