[Snort-users] Hotmail

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed Jun 19 11:16:05 EDT 2002


That won't catch people who have messenger running... Possibly just set up
the alert on the range of IPs that they use for their login machines? (msn
still touches these)

-----Original Message-----
From: John Maestrale [mailto:jmaestrale at ...5809...] 
Sent: Wednesday, June 19, 2002 1:02 PM
To: Snort-Users (E-mail)
Subject: [Snort-users] Hotmail


Does this look correct. I am trying to alert on Hotmail login attempts.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MSN Hotmail"; flags: A+;
uricontent: "/ppsecure/login"; nocase; classtype:misc-activity; rev:1;)

Thanks

John Maestrale,SSCP



----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list