[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Natthew Jonkman matt at ...2436...
Fri May 28 08:46:11 EDT 2004


Please take a look at these sigs, I'd appreciate any suggtestions to 
mature them. They detect Hotmail and Yaho Mail inbox viewing, message 
viewing, and composing and sending new ones.

With the yahoo messages the only message we can capture is a submitted 
one, everything else yahoo sends to the client is gzipped. Hotmail does 
not though, all hotmail data is easily captured for messages viewed.

::::::::::::::
YAHOO_Mail_Rules
::::::::::::::
alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Inbox View"; 
content:"mail.yahoo.com"; content:"GET /ym/ShowFolder?rb=Inbox"; r
ev:1;sid:1000056;)
alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message View"; 
content:"mail.yahoo.com"; content:"GET /ym/ShowLetter?MsgId"; re
v:1; sid:1000057;)
alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Compose 
Open"; content:"mail.yahoo.com"; content:"GET /ym/Compose?"; re
v:1; sid:1000058;)
alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Send"; 
content:"mail.yahoo.com"; content:"POST /ym/Compose?"; rev:1; si
d:1000059;)
alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Send Info 
Capture"; content:"crumb="; content:"box="; content:"Subject=
"; content:"SEND="; content:"To="; rev:1; sid:1000060;)
::::::::::::::
HOTMAIL_Mail_Rules
::::::::::::::
alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Inbox Access"; 
sid:1000061; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotm
ail.msn.com"; rev:1; session:printable;)
alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Message Access"; 
sid:1000062; content:"GET /cgi-bin/getmsg?msg=MSG"; content:"hotm
ail.msn.com"; rev:1; session:printable;)
alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message 
Access"; sid:1000063; content:"GET /cgi-bin/compose?"; content:"cu
rmbox="; content:"hotmail.msn.com"; rev:1; session:printable;)
alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message 
Submit"; sid:1000064; content:"POST /cgi-bin/premail"; content:"ho
tmail.msn.com"; rev:1; session:printable;)
alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message Submit 
Data"; sid:1000065; content:"curmbox="; content:"login="; c
ontent:"msghdrid"; content:"sigflag="; rev:1; session:printable;)


These rules are available in the bleeding.rules set as well at 
http://snort.infotex.com. I'll keep tweaks to these rules up there.

We are going to get the bleedingsnort up and running, just haven't had 
the time lately. It'll get there though. :)

Matt




More information about the Snort-sigs mailing list