[Snort-sigs] Yahoo Instant Messenger Login

Erek Adams erek at ...95...
Fri Jan 24 09:25:02 EST 2003

On Fri, 24 Jan 2003, spy guy wrote:

> I am still trying to create a rule to detect logins to Yahoo Instant
> Messenger service.
> Users are connecting on both port 23 and port 80.
> I am not trying to capture logins, I just need to know how many
> individual users are using the service.
> Here is what I came up with, but it generates too many alerts.
> alert tcp $HOME_NET any -> $YIM_SERVERS any (content: "YMSG"; flags: PA;
> msg: "YIM_Login";)

alert tcp $HOME_NET any -> $YIM_SERVERS any (content: "YMSG";
flow:to_server,established; msg: "YIM_Login")

Might work a bit better for you.

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-sigs mailing list