[Snort-users] Hotmail

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed Jun 19 11:16:05 EDT 2002

That won't catch people who have messenger running... Possibly just set up
the alert on the range of IPs that they use for their login machines? (msn
still touches these)

-----Original Message-----
From: John Maestrale [mailto:jmaestrale at ...5809...] 
Sent: Wednesday, June 19, 2002 1:02 PM
To: Snort-Users (E-mail)
Subject: [Snort-users] Hotmail

Does this look correct. I am trying to alert on Hotmail login attempts.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MSN Hotmail"; flags: A+;
uricontent: "/ppsecure/login"; nocase; classtype:misc-activity; rev:1;)


John Maestrale,SSCP

                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list