[Snort-sigs] Yahoo, Hotmail, and unauth sigs

[Matthew Jonkman]

Done. You're just full of good ideas Nigel. :)  Thanks

New versions at http://snort.infotex.com

Specifically:
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/HOTMAIL_Mail_Rules?rev=1.5&content-type=text/vnd.viewcvs-markup
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/YAHOO_Mail_Rules?rev=1.6&content-type=text/vnd.viewcvs-markup

Matt

Nigel Houghton wrote:

> On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> 
>>Good ideas, all of them. I'm doing them now. Except uri content. When I 
>>turn that on they don't hit as often. Miss about half. Anyone have an 
>>idea there?
> 
> 
> uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
> some cases, just in case Hotmail/Yahoo start not caring about case sensitivity.
> 
> For example, your rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotmail.msn.com"; session:printable; classtype: policy-violation; sid:1000061; rev:2;)
> 
> Might become:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; flow:to_server,established; uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase; content:"hotmail.msn.com";nocase; classtype: policy-violation; sid:1000061; rev:3;)
> 
> Note, I included a "flow" statement and removed the "session" statement. I
> would imagine that a lot of people logging in to HotMail might slow down
> Snort quite a bit with "session:printable;" being used.
>  
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
> 
> In an emergency situation involving two or more officers of equal rank,
> seniority will be granted to whichever officer can program a vcr.

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer