[Snort-sigs] Yahoo mail updates

Matthew Jonkman matt at ...2436...
Wed Jul 7 19:33:04 EDT 2004


Now we're talking. This is what I love about this list. :)

I'll get all of the updates posted shortly. A few answers below:

Matthew Watchinski wrote:

>> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail 
>> Message Send Info Capture"; content:"crumb="; nocase; 
>> content:"Subject="; nocase; flow:to_server,established; classtype: 
>> policy-violation; sid:2000045; rev:5;)
> 
> 
> 
> Not sure what this rule does without a traffic capture.  Probably want 
> to find some more things to anchor on.  Is there an associated URI with 
> this?  Also use $EXTERNAL_NET

This one captures the text of the sent mail message. That's the original 
motivation of a client of ours for writing the set of rules. They needed 
to know what a user about to be canned was up to. It works pretty well.

The reason I made so many rules here was to allow us either track 
logins, or catch email texts, or just see who was spending too much time 
on yahoo mail. Using all of them at once is overkill. In fact, I may put 
a few of them off by default in the bleeding rules, let people enable 
the set they are interested in via oinkmaster.

> alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yahoo Mail Login"; 
> uricontent:"/ym/login"; nocase; content".rand="; nocase; 
> flow:to_server,established; classtype: policy-violation; sid:2000341; 
> rev:1;)
> 
> is the "." next to rand suppose to be here?

Ya, it was unique in the traffic I was watching. However the rule is 
hitting on a lot more than just the initial login. I plan to revisit 
that when I get some time.

> 
> Also normal convention is to place the "flow" keyword directly after the 
> "msg" keyword.
> 
Will do. :)

Thanks very much for your advice. As I said, I'll get these updated and 
posted asap.

Matt




More information about the Snort-sigs mailing list