Snort mailing list archives
RE: Alert for web-based email sites
From: "Abe L. Getchell" <abegetchell () home com>
Date: Tue, 18 Dec 2001 19:58:50 -0500
Greetings! Running an nslookup, I get the results below. Try alerting on these addresses for Hotmail. -| # nslookup -| Default Server: xena -| Address: 0.0.0.0 -| -| > www.hotmail.com -| Server: xena -| Address: 0.0.0.0 -| -| Non-authoritative answer: -| Name: www.hotmail.com -| Addresses: 64.4.53.7, 64.4.54.7, 64.4.43.7, 64.4.44.7 -| 64.4.45.7, 64.4.52.7 -| -| > exit -| # To alert on the access of various Yahoo! resources, at least the ones that require you login (such as mail or fantasy sports (Red Wings rule!)) check access to login.yahoo.com on port 80 and 443. This worked a few months ago at least... -| # nslookup -| Default Server: xena -| Address: 0.0.0.0 -| -| > login.yahoo.com -| Server: xena -| Address: 0.0.0.0 -| -| Non-authoritative answer: -| Name: login.yahoo.akadns.net -| Addresses: 64.58.76.99, 64.58.76.98 -| Aliases: login.yahoo.com -| -| > exit -| # Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Chris Green Sent: Tuesday, December 18, 2001 1:47 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] Alert for web-based email sites "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> writes:Hello, I'd like to create a rule in Snort to alert me anytimesomeone opensan SSL session at www.hotmail.com (since it is against our security policy to access web email).alert $HOME_NET any -> 64.4.0.0/16 443 \ (flags: S; msg: "Some one doing https-webmail!"; )
www.hotmail.com has address 64.4.43.7 www.hotmail.com has address 64.4.44.7 www.hotmail.com has address 64.4.45.7 www.hotmail.com has address 64.4.52.7 www.hotmail.com has address 64.4.53.7 www.hotmail.com has address 64.4.54.7 Is where I got the IPs from - it may be too broad
I would ideally like to do this for all webmail related sites but I'm not sure how to go about it. For example, it's OK for a user to go to www.yahoo.com but not to get webmail from Yahoo.
doesn't yahoo webmail use a different server than plain old www.yahoo.com
Is there anyone else out there doing checks for this type of thing?
I think most everyone that is doing restrictive policy enforcement is doing porn detection. Writing snort rules will help give a good idea of how to go about doing these kinda things -- Chris Green <cmg () uab edu> Don't use a big word where a diminutive one will suffice. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert for web-based email sites Sheahan, Paul (PCLN-NW) (Dec 18)
- Re: Alert for web-based email sites Chris Green (Dec 18)
- RE: Alert for web-based email sites Abe L. Getchell (Dec 18)
- RE: Alert for web-based email sites Paul D. Shaffer (Dec 18)
- Re: Alert for web-based email sites Chris Green (Dec 18)