[Snort-sigs] Email Tracking Code Signature
james.lay at ...3513...
Mon Oct 31 12:21:23 EDT 2011
From: Simeon Bush [mailto:Sbush at ...3617...]
Sent: Thursday, October 27, 2011 1:01 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Email Tracking Code Signature
I was wondering if snort has the capability to detect a tracking code in an email source code. I'm sure this rule/signature would be expensive in terms of resource utilization. I've noticed that targeted phishing emails will have these embedded into the source code as a callback.
Check out the sensitive data options in snort.conf and the sensitive-data.rules...should give you an idea of what you can do to match those. Be prepared for some false positives.
More information about the Snort-sigs