[Snort-sigs] sigs for MSM via proxies

Jason Haar Jason.Haar at ...651...
Thu Jun 19 15:45:10 EDT 2003

Currently the MSM rules match against port 1863. However, our networks lie
behind proxies and it looks like MSM uses a Web-based API in order to route
via proxies. The proxy logs show the likes of:


Obviously that's port 80...

The following rule catches LOGIN attempts via a POST proxy

alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
classtype:policy-violation; sid:1991; rev:1;)

In fact, I wonder if it would generally be better to move all the MSN rules
over into a format like that used for AIM? I *think* all MSM servers are in
that network range - then you could replace the dst port with "any" for all
the rules...?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list