[Snort-sigs] sigs for popular IM systems

Imran William Smith iwsmith at ...500...
Thu May 2 18:49:58 EDT 2002

It works fine when doing this into a database, in our experience:

We log with snort on remote sensors to tcpdump format, then transfer those
tcpdump-format files back to our centre and load into a database using snort,
and the identical ruleset to that used on the sensor.

Our database has the time and date of the original attack, not the time it was
loaded into our database.  So the tcpdump format file must be correctly recording
the original time the packet was seen, and snort is using that date.

But maybe the time on the 'alert file' is wrong, and the time stored in the
database is correct?

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message ----- 
From: "Bill Munger" <bmunger at ...580...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Thursday, May 02, 2002 4:12 AM
Subject: [Snort-sigs] sigs for popular IM systems

| I've been banging my head trying to get these to work, and they finally do,
| so I thought I'd share. They are not perfect, but seem to work pretty well.
| If you are logging the full packet on alerts, these will keep a transcript
| of every conversation on AIM, MSN, and Yahoo messengers.
| I solicit criticism and improvements.
| ============
| Bill Munger
| bmunger at ...580...
| alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"TIME WASTE Yahoo!
| Messenger Login";flags:PA+;content:"|706174683d2f3b20646f6d61696e3d2e|";)
| alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"TIME WASTE MSN Messenger
| Login";flags:PA+;content:"LoginTime";)
| alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TIME WASTE AOL (IM)
| Login";flags:PA+;content:"AOL Instant Messenger (SM), version";)
| alert tcp 5050 -> $HOME_NET any (msg:"CHATTER incoming
| Yahoo!"; flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";)
| alert tcp $HOME_NET any -> 5050 (msg:"CHATTER outgoing
| Yahoo!"; flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";)
| alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHATTER incoming MSN";
| flags:PA+; content:"MSG"; content: !"TypingUser";)
| alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHATTER outgoing MSN";
| flags:PA+; content:"MSG"; content: !"TypingUser";)
| alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHATTER outgoing AIM";
| flags:PA+; content:"<BODY BGCOLOR=\"#";)
| alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"CHATTER incoming AIM";
| flags:PA+; content:"<BODY BGCOLOR=\"#";)
| _______________________________________________________________
| Have big pipes? SourceForge.net is looking for download mirrors. We supply
| the hardware. You get the recognition. Email Us: bandwidth at ...198...
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list