[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Matthew Jonkman matt at ...2436...
Fri May 28 11:13:07 EDT 2004

Done. You're just full of good ideas Nigel. :)  Thanks

New versions at http://snort.infotex.com



Nigel Houghton wrote:

> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>>Good ideas, all of them. I'm doing them now. Except uri content. When I 
>>turn that on they don't hit as often. Miss about half. Anyone have an 
>>idea there?
> uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
> some cases, just in case Hotmail/Yahoo start not caring about case sensitivity.
> For example, your rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotmail.msn.com"; session:printable; classtype: policy-violation; sid:1000061; rev:2;)
> Might become:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; flow:to_server,established; uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase; content:"hotmail.msn.com";nocase; classtype: policy-violation; sid:1000061; rev:3;)
> Note, I included a "flow" statement and removed the "session" statement. I
> would imagine that a lot of people logging in to HotMail might slow down
> Snort quite a bit with "session:printable;" being used.
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
> In an emergency situation involving two or more officers of equal rank,
> seniority will be granted to whichever officer can program a vcr.

Matthew Jonkman, CISSP
Senior Security Engineer

More information about the Snort-sigs mailing list