Snort mailing list archives

Re: Email Tracking Code Signature

From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 31 Oct 2011 10:21:23 -0600

From: Simeon Bush [mailto:Sbush () stas fbi gov] 
Sent: Thursday, October 27, 2011 1:01 PM
To: 'snort-sigs () lists sourceforge net'
Subject: [Snort-sigs] Email Tracking Code Signature

I was wondering if snort has the capability to detect a tracking code in an email source code. I'm sure this 
rule/signature  would be expensive in terms of resource utilization. I've noticed that targeted phishing emails will 
have these embedded into the source code as a callback.

Check out the sensitive data options in snort.conf and the sensitive-data.rules...should give you an idea of what you 
can do to match those.  Be prepared for some false positives.

James

------------------------------------------------------------------------------
Get your Android app more play: Bring it to the BlackBerry PlayBook 
in minutes. BlackBerry App World&#153; now supports Android&#153; Apps 
for the BlackBerry&reg; PlayBook&#153;. Discover just how easy and simple 
it is! http://p.sf.net/sfu/android-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Email Tracking Code Signature Simeon Bush (Oct 27)
- <Possible follow-ups>
- Re: Email Tracking Code Signature Lay, James (Oct 31)