[Snort-sigs] sigs for popular IM systems

Erik Fichtner emf at ...4...
Thu May 2 11:28:32 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 02, 2002 at 01:58:55PM -0400, William Stearns wrote:
> 	Have you seen any aim packets going to ports other than 5190/tcp?  
> If not, how about restricting to that?

This depends on the environment.   the AIM servers at AOL are modified
to listen on all ports, not just 5190/tcp.   This is specifically
so that AIM can circumvent firewalls. 

> 	You may want to take a look at the current cvs trees - both the 
> snort... and snortrules... files, as experimental.rules has some aim 
> signatures keying on the target IP.

These IP's change often.   It's much better, IMHO, to key off things
that show up in the AIM conversation.  (say, for instance, an ad 
banner request, or the signon messages...)

All in all, good work Bill.   I'll give these sigs a try myself.



- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE80YUnQ7EzrewLMS0RAnkOAKCtBqVmLqg+ZafaF3DondVf7oao2QCbB/de
MoCcIri7Nac5c7FP902gwfQ=
=jXIZ
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list