[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Nigel Houghton nigel at ...435...
Fri May 28 09:07:13 EDT 2004


On  0, Natthew Jonkman <matt at ...2436...> allegedly wrote:
> Please take a look at these sigs, I'd appreciate any suggtestions to 
> mature them. They detect Hotmail and Yaho Mail inbox viewing, message 
> viewing, and composing and sending new ones.
> 
> With the yahoo messages the only message we can capture is a submitted 
> one, everything else yahoo sends to the client is gzipped. Hotmail does 
> not though, all hotmail data is easily captured for messages viewed.
> 
> ::::::::::::::
> YAHOO_Mail_Rules
> ::::::::::::::
> alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Inbox View"; 
> content:"mail.yahoo.com"; content:"GET /ym/ShowFolder?rb=Inbox"; r
> ev:1;sid:1000056;)
> alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message View"; 
> content:"mail.yahoo.com"; content:"GET /ym/ShowLetter?MsgId"; re
> v:1; sid:1000057;)
> alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Compose 
> Open"; content:"mail.yahoo.com"; content:"GET /ym/Compose?"; re
> v:1; sid:1000058;)
> alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Send"; 
> content:"mail.yahoo.com"; content:"POST /ym/Compose?"; rev:1; si
> d:1000059;)
> alert tcp any any -> any 80 (msg:"INFOTEX Yahoo Mail Message Send Info 
> Capture"; content:"crumb="; content:"box="; content:"Subject=
> "; content:"SEND="; content:"To="; rev:1; sid:1000060;)
> ::::::::::::::
> HOTMAIL_Mail_Rules
> ::::::::::::::
> alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Inbox Access"; 
> sid:1000061; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotm
> ail.msn.com"; rev:1; session:printable;)
> alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Message Access"; 
> sid:1000062; content:"GET /cgi-bin/getmsg?msg=MSG"; content:"hotm
> ail.msn.com"; rev:1; session:printable;)
> alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message 
> Access"; sid:1000063; content:"GET /cgi-bin/compose?"; content:"cu
> rmbox="; content:"hotmail.msn.com"; rev:1; session:printable;)
> alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message 
> Submit"; sid:1000064; content:"POST /cgi-bin/premail"; content:"ho
> tmail.msn.com"; rev:1; session:printable;)
> alert tcp any any -> any 80 (msg:"INFOTEX Hotmail Compose Message Submit 
> Data"; sid:1000065; content:"curmbox="; content:"login="; c
> ontent:"msghdrid"; content:"sigflag="; rev:1; session:printable;)

I'm curious as to why you're not using $HOME_NET and $EXTERNAL_NET in your
rules, along with flow and uricontent (where appropriate). Also, I'm
guessing this is a policy violation thing for people who aren't supposed
to be using Yahoo or Hotmail from work or something like that, so I think
you could also use classtype: policy-violation; in each of them for people
who wish to sort on that.

One more nitpicky thing, it's always nice if things are laid out
consistently, like each rule ending with sid:123; rev:1; but that's just
me probably :)

> These rules are available in the bleeding.rules set as well at 
> http://snort.infotex.com. I'll keep tweaks to these rules up there.
> 
> We are going to get the bleedingsnort up and running, just haven't had 
> the time lately. It'll get there though. :)
> 
> Matt
 
-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list