[Snort-users] HTML E-Mail Rule

Matt Kettler mkettler at ...4108...
Wed Jan 22 18:30:02 EST 2003

Well, if you want to specifically see if they are sending email using 
hotmail (as opposed to reading only), or want to try to track all the 
traffic in the session, good luck.

If you just want to see which users are accessing hotmail, probably your 
best bet is going to be detecting syn packets to port 80 on any of the 
relevant webservers..
for example, digging www.hotmail.com looks like:

www.hotmail.com.        3600    IN      A
www.hotmail.com.        3600    IN      A
www.hotmail.com.        3600    IN      A
www.hotmail.com.        3600    IN      A

so a rule for that might look like:

alert icmp $HOME_NET any -> $HOTMAIL_SERVERS 80 (msg:"www.hotmail.com 
access"; flags:S; classtype:policy-violation; sid:1000000; rev:1;)

For yahoo mail you can look for access to mail.yahoo.com:
$dig mail.yahoo.com

<snip a bunch of irrelevant data>

mail.yahoo.com.         1800    IN      CNAME   login.yahoo.com.
login.yahoo.com.        1800    IN      CNAME   login.yahoo.akadns.net.
login.yahoo.akadns.net. 300     IN      A
login.yahoo.akadns.net. 300     IN      A

<snip a bunch more irrelevant data>

And use a similar rule to the hotmail one. Lather-rinse-repeat for other 
web-mail providers.

At 05:50 PM 1/22/2003 -0800, Mike Koponick wrote:
>Hello Snort-Users!
>I've done a little research, but need would like to get the view of of the
>group. I have a requirement to see which nodes on the network are using HTML
>E-Mail (like Hotmail) outbound. Is there a rule out there that will "sniff"
>those packets?
>Thanks in advance,

More information about the Snort-users mailing list