[Snort-sigs] AOL Webmail rules

Matthew Jonkman matt at ...2436...
Wed Jul 21 14:25:08 EDT 2004


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
AOL Webmail Message Send"; uricontent:"/compose_frame.adp"; 
content:"POST"; sid:2000571; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
AOL Webmail Login"; uricontent:"/login/login.psp?siteId="; 
content:"triedAimAuth"; sid:2000572; rev:1;)
-
These work fairly well, but it seems that aol compresses the text of the 
message so it's not easily capturable.

I think the login rule is hitting on more than the initial login. I'm 
not an aol user myself though, so can't get in and test it. If anyone 
out there is an aol user can you hop in and see if there is some unique 
string that we can key on to make sure we just get the initial login?

The login user and pass submission goes https, but then the session goes 
back to http. So I assume there's something simple in the new url that 
would indicate so.

These are on bleedingsnort.

Matt




More information about the Snort-sigs mailing list