[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Fri May 28 12:04:06 EDT 2004


One other thing... hotmail.msn.com and the yahoo hostname aren't always
in the content part of it, since they often use other hostnames in
(host: akjsfijq2ieja.mail.aasfj8adf.msn.com)

Any chance a use of flowbits could work... One to catch the initial
hotmail/msn login page, and the other to catch actual use of
hotmail/mail?

-----Original Message-----
From: Nigel Houghton [mailto:nigel at ...435...] 
Sent: Friday, May 28, 2004 12:17 PM
To: Matthew Jonkman
Cc: Nigel Houghton; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Yahoo, Hotmail, and unauth sigs

On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> Good ideas, all of them. I'm doing them now. Except uri content. When
I 
> turn that on they don't hit as often. Miss about half. Anyone have an 
> idea there?

uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
some cases, just in case Hotmail/Yahoo start not caring about case
sensitivity.

For example, your rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail
Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox=";
content:"hotmail.msn.com"; session:printable; classtype:
policy-violation; sid:1000061; rev:2;)

Might become:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail
Inbox Access"; flow:to_server,established;
uricontent:"/cgi-bin/HoTMaiL?curmbox=";nocase;
content:"hotmail.msn.com";nocase; classtype: policy-violation;
sid:1000061; rev:3;)

Note, I included a "flow" statement and removed the "session" statement.
I
would imagine that a lot of people logging in to HotMail might slow down
Snort quite a bit with "session:printable;" being used.
 
-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.


-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list