Snort mailing list archives
Re: HTML E-Mail Rule
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 22 Jan 2003 21:33:22 -0500
Well, if you want to specifically see if they are sending email using hotmail (as opposed to reading only), or want to try to track all the traffic in the session, good luck.
If you just want to see which users are accessing hotmail, probably your best bet is going to be detecting syn packets to port 80 on any of the relevant webservers..
for example, digging www.hotmail.com looks like: www.hotmail.com. 3600 IN A 64.4.43.7 www.hotmail.com. 3600 IN A 64.4.44.7 www.hotmail.com. 3600 IN A 64.4.52.7 www.hotmail.com. 3600 IN A 64.4.53.7 so a rule for that might look like: var HOTMAIL_SERVERS [64.4.43.7/32, 64.4.44.7/32, 64.4.52.7/32,64.4.53.7/32]alert icmp $HOME_NET any -> $HOTMAIL_SERVERS 80 (msg:"www.hotmail.com access"; flags:S; classtype:policy-violation; sid:1000000; rev:1;)
For yahoo mail you can look for access to mail.yahoo.com: $dig mail.yahoo.com <snip a bunch of irrelevant data> ;; ANSWER SECTION: mail.yahoo.com. 1800 IN CNAME login.yahoo.com. login.yahoo.com. 1800 IN CNAME login.yahoo.akadns.net. login.yahoo.akadns.net. 300 IN A 64.58.76.99 login.yahoo.akadns.net. 300 IN A 64.58.76.98 <snip a bunch more irrelevant data>And use a similar rule to the hotmail one. Lather-rinse-repeat for other web-mail providers.
At 05:50 PM 1/22/2003 -0800, Mike Koponick wrote:
Hello Snort-Users! I've done a little research, but need would like to get the view of of the group. I have a requirement to see which nodes on the network are using HTML E-Mail (like Hotmail) outbound. Is there a rule out there that will "sniff" those packets? Thanks in advance, Mike
------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule header variables Jim Schwin (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)
- <Possible follow-ups>
- Re: Rule header variables Matt Kettler (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)
- Re: Rule header variables Matt Kettler (Jan 22)
- HTML E-Mail Rule Mike Koponick (Jan 22)
- Re: HTML E-Mail Rule Matt Kettler (Jan 22)
- RE: HTML E-Mail Rule Gordon Cunningham (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)