[Snort-sigs] Yahoo Instant Messenger Login

spy guy spyguy703 at ...817...
Fri Jan 24 09:05:06 EST 2003

I am still trying to create a rule to detect logins to Yahoo Instant
Messenger service.

Users are connecting on both port 23 and port 80.

I am not trying to capture logins, I just need to know how many
individual users are using the service.

Here is what I came up with, but it generates too many alerts.

alert tcp $HOME_NET any -> $YIM_SERVERS any (content: "YMSG"; flags: PA;
msg: "YIM_Login";)

Any suggestions?

More information about the Snort-sigs mailing list