[Snort-sigs] sigs for popular IM systems

Bill Munger bmunger at ...580...
Thu May 2 09:55:12 EDT 2002


I've been banging my head trying to get these to work, and they finally do,
so I thought I'd share. They are not perfect, but seem to work pretty well.
If you are logging the full packet on alerts, these will keep a transcript
of every conversation on AIM, MSN, and Yahoo messengers.

I solicit criticism and improvements.

============
Bill Munger
bmunger at ...580...

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"TIME WASTE Yahoo!
Messenger Login";flags:PA+;content:"|706174683d2f3b20646f6d61696e3d2e|";)

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"TIME WASTE MSN Messenger
Login";flags:PA+;content:"LoginTime";)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TIME WASTE AOL (IM)
Login";flags:PA+;content:"AOL Instant Messenger (SM), version";)

alert tcp 216.136.0.0/16 5050 -> $HOME_NET any (msg:"CHATTER incoming
Yahoo!"; flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";)

alert tcp $HOME_NET any -> 216.136.0.0/16 5050 (msg:"CHATTER outgoing
Yahoo!"; flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";)

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHATTER incoming MSN";
flags:PA+; content:"MSG"; content: !"TypingUser";)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHATTER outgoing MSN";
flags:PA+; content:"MSG"; content: !"TypingUser";)

alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHATTER outgoing AIM";
flags:PA+; content:"<BODY BGCOLOR=\"#";)

alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"CHATTER incoming AIM";
flags:PA+; content:"<BODY BGCOLOR=\"#";)





More information about the Snort-sigs mailing list