[Snort-sigs] sigs for MSM via proxies

Jason Haar Jason.Haar at ...651...
Thu Jun 19 15:45:10 EDT 2003


Currently the MSM rules match against port 1863. However, our networks lie
behind proxies and it looks like MSM uses a Web-based API in order to route
via proxies. The proxy logs show the likes of:

POST http://207.46.110.25/gateway/gateway.dll?


Obviously that's port 80...

The following rule catches LOGIN attempts via a POST proxy

var MSM_SERVERS [207.46.0.0/16]
alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
classtype:policy-violation; sid:1991; rev:1;)

In fact, I wonder if it would generally be better to move all the MSN rules
over into a format like that used for AIM? I *think* all MSM servers are in
that network range - then you could replace the dst port with "any" for all
the rules...?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list