[Snort-sigs] sigs for popular IM systems

William Stearns wstearns at ...157...
Thu May 2 11:00:05 EDT 2002


Good day, Bill,

On 1 May 2002, Bill Munger wrote:

> I've been banging my head trying to get these to work, and they finally do,
> so I thought I'd share. They are not perfect, but seem to work pretty well.
> If you are logging the full packet on alerts, these will keep a transcript
> of every conversation on AIM, MSN, and Yahoo messengers.
> 
> I solicit criticism and improvements.
> 
> ============
> Bill Munger
> bmunger at ...580...
> 
[snip]
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TIME WASTE AOL (IM)
> Login";flags:PA+;content:"AOL Instant Messenger (SM), version";)
[snip]
> alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHATTER outgoing AIM";
> flags:PA+; content:"<BODY BGCOLOR=\"#";)
> 
> alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"CHATTER incoming AIM";
> flags:PA+; content:"<BODY BGCOLOR=\"#";)

	Have you seen any aim packets going to ports other than 5190/tcp?  
If not, how about restricting to that?
	You may want to take a look at the current cvs trees - both the 
snort... and snortrules... files, as experimental.rules has some aim 
signatures keying on the target IP.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "Very funny, Mr. Scott.  Now beam down my clothes."
(Courtesy of Michael J. Fromberger <sting at ...581...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at:                        http://www.stearns.org
--------------------------------------------------------------------------






More information about the Snort-sigs mailing list