[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Nigel Houghton nigel at ...435...
Fri May 28 10:17:01 EDT 2004


On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> Good ideas, all of them. I'm doing them now. Except uri content. When I 
> turn that on they don't hit as often. Miss about half. Anyone have an 
> idea there?

uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
some cases, just in case Hotmail/Yahoo start not caring about case sensitivity.

For example, your rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotmail.msn.com"; session:printable; classtype: policy-violation; sid:1000061; rev:2;)

Might become:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; flow:to_server,established; uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase; content:"hotmail.msn.com";nocase; classtype: policy-violation; sid:1000061; rev:3;)

Note, I included a "flow" statement and removed the "session" statement. I
would imagine that a lot of people logging in to HotMail might slow down
Snort quite a bit with "session:printable;" being used.
 
-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list