[Snort-sigs] AIM Express sigs

Alan Kloster akloster at ...1741...
Thu Aug 7 07:10:06 EDT 2003


We also use snort to log instant messages to a separate database for posterity.  In case anyone else is doing this, here are two sigs to catch AIM Express messages.  AIM Express is the web based version of AOL Instant Messager.  These have worked quite well.

## Detect AIM Express sent messages
internal tcp any any -> any 80 (msg:"CHAT AIM Express send message"; content:"|7
3 65 6e 64 5f 69 6d|"; classtype:policy-violation; priority:3; rev:1;)
## Detect AIM Express received messages
internal tcp $EXTERNAL_NET 80 -> any any (msg:"CHAT AIM Express receive message"
; content:"|5f 49 4e 3a|"; classtype:policy-violation; priority:3; rev:1;)

Alan Kloster





More information about the Snort-sigs mailing list