[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Nigel Houghton nigel at ...435...
Fri May 28 10:17:01 EDT 2004

On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> Good ideas, all of them. I'm doing them now. Except uri content. When I 
> turn that on they don't hit as often. Miss about half. Anyone have an 
> idea there?

uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
some cases, just in case Hotmail/Yahoo start not caring about case sensitivity.

For example, your rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotmail.msn.com"; session:printable; classtype: policy-violation; sid:1000061; rev:2;)

Might become:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; flow:to_server,established; uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase; content:"hotmail.msn.com";nocase; classtype: policy-violation; sid:1000061; rev:3;)

Note, I included a "flow" statement and removed the "session" statement. I
would imagine that a lot of people logging in to HotMail might slow down
Snort quite a bit with "session:printable;" being used.
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list