[Snort-sigs] Yahoo, Hotmail, and unauth sigs
Matthew Jonkman
matt at ...2436...
Fri May 28 11:13:07 EDT 2004
Done. You're just full of good ideas Nigel. :) Thanks
New versions at http://snort.infotex.com
Specifically:
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/HOTMAIL_Mail_Rules?rev=1.5&content-type=text/vnd.viewcvs-markup
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/YAHOO_Mail_Rules?rev=1.6&content-type=text/vnd.viewcvs-markup
Matt
Nigel Houghton wrote:
> On 0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
>
>>Good ideas, all of them. I'm doing them now. Except uri content. When I
>>turn that on they don't hit as often. Miss about half. Anyone have an
>>idea there?
>
>
> uricontent won't catch the HTTP POST. Also, "nocase" might be useful in
> some cases, just in case Hotmail/Yahoo start not caring about case sensitivity.
>
> For example, your rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox="; content:"hotmail.msn.com"; session:printable; classtype: policy-violation; sid:1000061; rev:2;)
>
> Might become:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail Inbox Access"; flow:to_server,established; uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase; content:"hotmail.msn.com";nocase; classtype: policy-violation; sid:1000061; rev:3;)
>
> Note, I included a "flow" statement and removed the "session" statement. I
> would imagine that a lot of people logging in to HotMail might slow down
> Snort quite a bit with "session:printable;" being used.
>
> -------------------------------------------------------------
> Nigel Houghton Research Engineer Sourcefire Inc.
> Vulnerability Research Team
>
> In an emergency situation involving two or more officers of equal rank,
> seniority will be granted to whichever officer can program a vcr.
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
More information about the Snort-sigs
mailing list