Re: Alert for web-based email sites

[Chris Green <cmg () uab edu>]

"Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:

> Hello,
>
> I'd like to create a rule in Snort to alert me anytime someone opens an SSL
> session at www.hotmail.com (since it is against our security policy
> to
> access web email).


alert $HOME_NET any -> 64.4.0.0/16 443 \
(flags: S; msg: "Some one doing https-webmail!"; )

www.hotmail.com has address 64.4.43.7
www.hotmail.com has address 64.4.44.7
www.hotmail.com has address 64.4.45.7
www.hotmail.com has address 64.4.52.7
www.hotmail.com has address 64.4.53.7
www.hotmail.com has address 64.4.54.7

Is where I got the IPs from - it may be too broad

> I would ideally like to do this for all webmail related sites but I'm not
> sure how to go about it. For example, it's OK for a user to go to
> www.yahoo.com but not to get webmail from Yahoo.

doesn't yahoo webmail use a different server than plain old www.yahoo.com
> Is there anyone else out there doing checks for this type of thing?

I think most everyone that is doing restrictive policy enforcement is
doing porn detection.

Writing snort rules will help give a good idea of how to go about
doing these kinda things
-- 
Chris Green <cmg () uab edu>
Don't use a big word where a diminutive one will suffice.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users