[Snort-sigs] sigs for popular IM systems
emf at ...4...
Thu May 2 11:28:32 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, May 02, 2002 at 01:58:55PM -0400, William Stearns wrote:
> Have you seen any aim packets going to ports other than 5190/tcp?
> If not, how about restricting to that?
This depends on the environment. the AIM servers at AOL are modified
to listen on all ports, not just 5190/tcp. This is specifically
so that AIM can circumvent firewalls.
> You may want to take a look at the current cvs trees - both the
> snort... and snortrules... files, as experimental.rules has some aim
> signatures keying on the target IP.
These IP's change often. It's much better, IMHO, to key off things
that show up in the AIM conversation. (say, for instance, an ad
banner request, or the signon messages...)
All in all, good work Bill. I'll give these sigs a try myself.
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-sigs