Snort mailing list archives
RE: SMTP rule needed
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 10 Apr 2002 10:08:15 -0400
From: Andreu.Gomez () keisa intrakom comWould this catch traffic going to 'hotmail' as well? Thanks anyway it seems to work PaulNo, I don't think so. Hotmail is a web based email service, so it doesn't use port 25. To do so you should write a new rule, something like alert tcp any any -> any 80(msg:"Hotmail access";content:"hotmail.com"; flags: A+; nocase; classtype:misc-activity;) Bear in mind that hotmail has several servers like law4.lc3.hotmail.com so it's difficult to set up a new rule only for hotmail. If you knew all its IP addresses...
If you are looking for hotmail activity you may want to consider the following... Create a new variable in your snort.conf file for "HOTMAIL_WEB" and/or "HOTMAIL_SMTP", depending on what you are looking for. Use nslookup, dig, etc to grab all of Hotmail's relative IP addresses. Non-authoritative answer: Name: hotmail.com Addresses: 64.4.52.7, 64.4.53.7, 64.4.54.7, 64.4.43.7 64.4.44.7, 64.4.45.7 <Hotmail's MX records> Non-authoritative answer: mx01.hotmail.com internet address = 64.4.55.71 mx02.hotmail.com internet address = 64.4.55.135 mx04.hotmail.com internet address = 64.4.56.135 mx05.hotmail.com internet address = 64.4.56.199 mx06.hotmail.com internet address = 64.4.55.7 mx07.hotmail.com internet address = 64.4.42.7 mx07.hotmail.com internet address = 65.54.236.7 mx08.hotmail.com internet address = 64.4.49.7 mx09.hotmail.com internet address = 64.4.49.71 mx10.hotmail.com internet address = 64.4.49.135 mx11.hotmail.com internet address = 64.4.49.199 Monitor users going to Hotmail... alert HOME_NET any -> HOTMAIL_WEB 80 (msg:"Someone may be using Hotmail"; flags: S; classtype:misc-activity;) or alert HOTMAIL_WEB 80 -> HOME_NET any (msg:"Someone went to Hotmail"; flags: SA; classtype:misc-activity;) Monitor SMTP traffic from Hotmail... alert HOTMAIL_SMTP any -> HOME_NET 25 (msg:"Receiving SMTP from Hotmail";flags: S;clastype:misc-activity;) These rules would be looking for the initial connection (or response) only, which *may* reduce the amount of alerts and false positives, but still alert you to the activity. Hope this helps, - Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Matt Kettler (Apr 09)
- <Possible follow-ups>
- Re: SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Andreu . Gomez (Apr 10)
- RE: SMTP rule needed Wirth, Jeff (Apr 10)