[Snort-sigs] sigs for popular IM systems

warchild at ...288... warchild at ...288...
Thu May 2 11:07:15 EDT 2002


> 	Have you seen any aim packets going to ports other than 5190/tcp?  
> If not, how about restricting to that?
> 	You may want to take a look at the current cvs trees - both the 
> snort... and snortrules... files, as experimental.rules has some aim 
> signatures keying on the target IP.

Newer versions of the client are extremely adept at finding their way out.
The last time I played with the windows client, it had a button that
essentially allowed AIM to burrow its way out.  It tries damn near every
common port - ftp, dns, http, https, proxy.  

You will be able to fine tune such troublesome rules when support for port
lists is enabled.

cheers,

-jon




More information about the Snort-sigs mailing list