[Snort-users] HTML E-Mail Rule
mkettler at ...4108...
Wed Jan 22 18:30:02 EST 2003
Well, if you want to specifically see if they are sending email using
hotmail (as opposed to reading only), or want to try to track all the
traffic in the session, good luck.
If you just want to see which users are accessing hotmail, probably your
best bet is going to be detecting syn packets to port 80 on any of the
for example, digging www.hotmail.com looks like:
www.hotmail.com. 3600 IN A 22.214.171.124
www.hotmail.com. 3600 IN A 126.96.36.199
www.hotmail.com. 3600 IN A 188.8.131.52
www.hotmail.com. 3600 IN A 184.108.40.206
so a rule for that might look like:
var HOTMAIL_SERVERS [220.127.116.11/32, 18.104.22.168/32, 22.214.171.124/32,126.96.36.199/32]
alert icmp $HOME_NET any -> $HOTMAIL_SERVERS 80 (msg:"www.hotmail.com
access"; flags:S; classtype:policy-violation; sid:1000000; rev:1;)
For yahoo mail you can look for access to mail.yahoo.com:
<snip a bunch of irrelevant data>
;; ANSWER SECTION:
mail.yahoo.com. 1800 IN CNAME login.yahoo.com.
login.yahoo.com. 1800 IN CNAME login.yahoo.akadns.net.
login.yahoo.akadns.net. 300 IN A 188.8.131.52
login.yahoo.akadns.net. 300 IN A 184.108.40.206
<snip a bunch more irrelevant data>
And use a similar rule to the hotmail one. Lather-rinse-repeat for other
At 05:50 PM 1/22/2003 -0800, Mike Koponick wrote:
>I've done a little research, but need would like to get the view of of the
>group. I have a requirement to see which nodes on the network are using HTML
>E-Mail (like Hotmail) outbound. Is there a rule out there that will "sniff"
>Thanks in advance,
More information about the Snort-users