Snort mailing list archives
Re: Alert for web-based email sites
From: Chris Green <cmg () uab edu>
Date: Tue, 18 Dec 2001 12:46:46 -0600
"Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:
Hello, I'd like to create a rule in Snort to alert me anytime someone opens an SSL session at www.hotmail.com (since it is against our security policy to access web email).
alert $HOME_NET any -> 64.4.0.0/16 443 \ (flags: S; msg: "Some one doing https-webmail!"; ) www.hotmail.com has address 64.4.43.7 www.hotmail.com has address 64.4.44.7 www.hotmail.com has address 64.4.45.7 www.hotmail.com has address 64.4.52.7 www.hotmail.com has address 64.4.53.7 www.hotmail.com has address 64.4.54.7 Is where I got the IPs from - it may be too broad
I would ideally like to do this for all webmail related sites but I'm not sure how to go about it. For example, it's OK for a user to go to www.yahoo.com but not to get webmail from Yahoo.
doesn't yahoo webmail use a different server than plain old www.yahoo.com
Is there anyone else out there doing checks for this type of thing?
I think most everyone that is doing restrictive policy enforcement is doing porn detection. Writing snort rules will help give a good idea of how to go about doing these kinda things -- Chris Green <cmg () uab edu> Don't use a big word where a diminutive one will suffice. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert for web-based email sites Sheahan, Paul (PCLN-NW) (Dec 18)
- Re: Alert for web-based email sites Chris Green (Dec 18)
- RE: Alert for web-based email sites Abe L. Getchell (Dec 18)
- RE: Alert for web-based email sites Paul D. Shaffer (Dec 18)
- Re: Alert for web-based email sites Chris Green (Dec 18)