[Snort-sigs] sigs for popular IM systems

Imran William Smith iwsmith at ...500...
Thu May 2 19:14:02 EDT 2002


I built the following rules, but have not tested them much yet.
I was particularly worried about file transfers in Yahoo messenger, since
these will allow files in and out of the organisation totally unaudited.

Only the original connect to Yahoo should be flagged, not every single message,
to reduce the amount of data logged.

Maybe you'd like to test?  We don't have our sensors on same subnet
using Yahoo at the moment, so I only built these based on tcpdump
traces.

alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content:
"YMSG"; classtype:misc-activity; sid:1000001; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content:
"domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content:
"YMSG"; classtype:misc-activity; sid:1000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content:
"FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message -----
From: "William Stearns" <wstearns at ...157...>
To: "Bill Munger" <bmunger at ...580...>
Cc: "ML-snort-sigs" <snort-sigs at lists.sourceforge.net>
Sent: Friday, May 03, 2002 1:58 AM
Subject: Re: [Snort-sigs] sigs for popular IM systems


| Good day, Bill,
|
| On 1 May 2002, Bill Munger wrote:
|
| > I've been banging my head trying to get these to work, and they finally do,
| > so I thought I'd share. They are not perfect, but seem to work pretty well.
| > If you are logging the full packet on alerts, these will keep a transcript
| > of every conversation on AIM, MSN, and Yahoo messengers.
| >
| > I solicit criticism and improvements.
| >
| > ============
| > Bill Munger
| > bmunger at ...580...
| >
| [snip]
| > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TIME WASTE AOL (IM)
| > Login";flags:PA+;content:"AOL Instant Messenger (SM), version";)
| [snip]
| > alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"CHATTER outgoing AIM";
| > flags:PA+; content:"<BODY BGCOLOR=\"#";)
| >
| > alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"CHATTER incoming AIM";
| > flags:PA+; content:"<BODY BGCOLOR=\"#";)
|
| Have you seen any aim packets going to ports other than 5190/tcp?
| If not, how about restricting to that?
| You may want to take a look at the current cvs trees - both the
| snort... and snortrules... files, as experimental.rules has some aim
| signatures keying on the target IP.
| Cheers,
| - Bill
|
| ---------------------------------------------------------------------------
|         "Very funny, Mr. Scott.  Now beam down my clothes."
| (Courtesy of Michael J. Fromberger <sting at ...581...>)
| --------------------------------------------------------------------------
| William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts,
| and ipfwadm2ipchains are at:                        http://www.stearns.org
| --------------------------------------------------------------------------
|
|
|
| _______________________________________________________________
|
| Have big pipes? SourceForge.net is looking for download mirrors. We supply
| the hardware. You get the recognition. Email Us: bandwidth at ...198...
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-sigs
|





More information about the Snort-sigs mailing list