[Snort-sigs] Email Tracking Code Signature

Lay, James james.lay at ...3513...
Mon Oct 31 12:21:23 EDT 2011

From: Simeon Bush [mailto:Sbush at ...3617...] 
Sent: Thursday, October 27, 2011 1:01 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: [Snort-sigs] Email Tracking Code Signature

I was wondering if snort has the capability to detect a tracking code in an email source code. I'm sure this rule/signature  would be expensive in terms of resource utilization. I've noticed that targeted phishing emails will have these embedded into the source code as a callback.

Check out the sensitive data options in snort.conf and the sensitive-data.rules...should give you an idea of what you can do to match those.  Be prepared for some false positives.


More information about the Snort-sigs mailing list