Snort mailing list archives

Re: HTML E-Mail Rule

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 22 Jan 2003 21:33:22 -0500

Well, if you want to specifically see if they are sending email usinghotmail (as opposed to reading only), or want to try to track all thetraffic in the session, good luck.

If you just want to see which users are accessing hotmail, probably yourbest bet is going to be detecting syn packets to port 80 on any of therelevant webservers..

for example, digging www.hotmail.com looks like:

www.hotmail.com.        3600    IN      A       64.4.43.7
www.hotmail.com.        3600    IN      A       64.4.44.7
www.hotmail.com.        3600    IN      A       64.4.52.7
www.hotmail.com.        3600    IN      A       64.4.53.7

so a rule for that might look like:
var HOTMAIL_SERVERS [64.4.43.7/32, 64.4.44.7/32, 64.4.52.7/32,64.4.53.7/32]

alert icmp $HOME_NET any -> $HOTMAIL_SERVERS 80 (msg:"www.hotmail.comaccess"; flags:S; classtype:policy-violation; sid:1000000; rev:1;)



For yahoo mail you can look for access to mail.yahoo.com:
$dig mail.yahoo.com

<snip a bunch of irrelevant data>

;; ANSWER SECTION:
mail.yahoo.com.         1800    IN      CNAME   login.yahoo.com.
login.yahoo.com.        1800    IN      CNAME   login.yahoo.akadns.net.
login.yahoo.akadns.net. 300     IN      A       64.58.76.99
login.yahoo.akadns.net. 300     IN      A       64.58.76.98

<snip a bunch more irrelevant data>

And use a similar rule to the hotmail one. Lather-rinse-repeat for otherweb-mail providers.



At 05:50 PM 1/22/2003 -0800, Mike Koponick wrote:

Hello Snort-Users!

I've done a little research, but need would like to get the view of of the
group. I have a requirement to see which nodes on the network are using HTML
E-Mail (like Hotmail) outbound. Is there a rule out there that will "sniff"
those packets?

Thanks in advance,

Mike




-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule header variables Jim Schwin (Jan 22)
- Re: Rule header variables Erick Mechler (Jan 22)
- <Possible follow-ups>
- Re: Rule header variables Matt Kettler (Jan 22)
  - Re: Rule header variables Erick Mechler (Jan 22)
    - Re: Rule header variables Matt Kettler (Jan 22)
    - HTML E-Mail Rule Mike Koponick (Jan 22)
    - Re: HTML E-Mail Rule Matt Kettler (Jan 22)
    - RE: HTML E-Mail Rule Gordon Cunningham (Jan 22)