Snort mailing list archives

RE: SMTP rule needed

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Wed, 10 Apr 2002 10:08:15 -0400

From: Andreu.Gomez () keisa intrakom com

Would this catch traffic going to 'hotmail' as well?
Thanks anyway it seems to work
Paul


No, I don't think so. Hotmail is a web based email service, 
so it doesn't
use port 25. To do so you should write a new rule, something like

alert tcp any any -> any 80(msg:"Hotmail 
access";content:"hotmail.com";
flags: A+; nocase; classtype:misc-activity;)

Bear in mind that hotmail has several servers like 
law4.lc3.hotmail.com so
it's difficult to set up a new rule only for hotmail. If you 
knew all its
IP addresses...


If you are looking for hotmail activity you may want to consider the
following...

Create a new variable in your snort.conf file for "HOTMAIL_WEB" and/or
"HOTMAIL_SMTP", depending on what you are looking for.  Use nslookup, dig,
etc to grab all of Hotmail's relative IP addresses.

Non-authoritative answer:
Name:    hotmail.com
Addresses:  64.4.52.7, 64.4.53.7, 64.4.54.7, 64.4.43.7
          64.4.44.7, 64.4.45.7

<Hotmail's MX records>
Non-authoritative answer:

mx01.hotmail.com        internet address = 64.4.55.71
mx02.hotmail.com        internet address = 64.4.55.135
mx04.hotmail.com        internet address = 64.4.56.135
mx05.hotmail.com        internet address = 64.4.56.199
mx06.hotmail.com        internet address = 64.4.55.7
mx07.hotmail.com        internet address = 64.4.42.7
mx07.hotmail.com        internet address = 65.54.236.7
mx08.hotmail.com        internet address = 64.4.49.7
mx09.hotmail.com        internet address = 64.4.49.71
mx10.hotmail.com        internet address = 64.4.49.135
mx11.hotmail.com        internet address = 64.4.49.199


Monitor users going to Hotmail...

alert HOME_NET any -> HOTMAIL_WEB 80 (msg:"Someone may be using Hotmail";
flags: S; classtype:misc-activity;)
or
alert HOTMAIL_WEB 80 -> HOME_NET any (msg:"Someone went to Hotmail"; flags:
SA; classtype:misc-activity;)

Monitor SMTP traffic from Hotmail...

alert HOTMAIL_SMTP any -> HOME_NET 25 (msg:"Receiving SMTP from
Hotmail";flags: S;clastype:misc-activity;)

These rules would be looking for the initial connection (or response) only,
which *may* reduce the amount of alerts and false positives, but still alert
you to the activity.

Hope this helps,

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Matt Kettler (Apr 09)
- <Possible follow-ups>
- Re: SMTP rule needed Paul . Simons (Apr 09)
- Re: SMTP rule needed Andreu . Gomez (Apr 10)
- RE: SMTP rule needed Wirth, Jeff (Apr 10)