[Snort-sigs] Yahoo Instant Messenger Login
erek at ...95...
Fri Jan 24 09:25:02 EST 2003
On Fri, 24 Jan 2003, spy guy wrote:
> I am still trying to create a rule to detect logins to Yahoo Instant
> Messenger service.
> Users are connecting on both port 23 and port 80.
> I am not trying to capture logins, I just need to know how many
> individual users are using the service.
> Here is what I came up with, but it generates too many alerts.
> alert tcp $HOME_NET any -> $YIM_SERVERS any (content: "YMSG"; flags: PA;
> msg: "YIM_Login";)
alert tcp $HOME_NET any -> $YIM_SERVERS any (content: "YMSG";
flow:to_server,established; msg: "YIM_Login")
Might work a bit better for you.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs