[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Fri May 28 12:04:06 EDT 2004

One other thing... hotmail.msn.com and the yahoo hostname aren't always
in the content part of it, since they often use other hostnames in
(host: akjsfijq2ieja.mail.aasfj8adf.msn.com)

Any chance a use of flowbits could work... One to catch the initial
hotmail/msn login page, and the other to catch actual use of

-----Original Message-----
From: Nigel Houghton [mailto:nigel at ...435...] 
Sent: Friday, May 28, 2004 12:17 PM
To: Matthew Jonkman
Cc: Nigel Houghton; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Yahoo, Hotmail, and unauth sigs

On  0, Matthew Jonkman <matt at ...2436...> allegedly wrote:
> Good ideas, all of them. I'm doing them now. Except uri content. When
> turn that on they don't hit as often. Miss about half. Anyone have an 
> idea there?

uricontent won't catch the HTTP POST. Also, "nocase" might be useful in 
some cases, just in case Hotmail/Yahoo start not caring about case

For example, your rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail
Inbox Access"; content:"GET /cgi-bin/HoTMaiL?curmbox=";
content:"hotmail.msn.com"; session:printable; classtype:
policy-violation; sid:1000061; rev:2;)

Might become:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Hotmail
Inbox Access"; flow:to_server,established;
content:"hotmail.msn.com";nocase; classtype: policy-violation;
sid:1000061; rev:3;)

Note, I included a "flow" statement and removed the "session" statement.
would imagine that a lot of people logging in to HotMail might slow down
Snort quite a bit with "session:printable;" being used.
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list