[Snort-sigs] Yahoo Messenger signature

tyler at ...337... tyler at ...337...
Wed Feb 6 09:12:03 EST 2002


True, but that's the problem with Yahoo.. it can run over any port like
AOL.. :-\ .. looks like 80, 23, 20, 21, 119, 25, and 5050.  Perhaps a port
range like, less than 119 or 5050? .. 

-----Original Message-----
From: Michael Scheidell [mailto:scheidell at ...249...]
Sent: Wednesday, February 06, 2002 11:36 AM
To: tyler at ...337...
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Yahoo Messenger signature


> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Yahoo Messenger
access";
> content:"|594D534709|"; \
> depth:5; flags:AP+; classtype:misc-activity; resp:rst_all;)

What about a port range? this will 'scan' the first 5 bytes of every
connection.

-- 
Michael Scheidell
Secnap Network Security, LLC
(561) 368-9561 scheidell at ...249...
Sign up Live WEBCAST Q & A : Should I migrate from IIS?
http://www.secnap.net/


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...338...
**********************************************************************




More information about the Snort-sigs mailing list