[Snort-sigs] sigs for MSM via proxies
Jason.Haar at ...651...
Thu Jun 19 15:45:10 EDT 2003
Currently the MSM rules match against port 1863. However, our networks lie
behind proxies and it looks like MSM uses a Web-based API in order to route
via proxies. The proxy logs show the likes of:
Obviously that's port 80...
The following rule catches LOGIN attempts via a POST proxy
var MSM_SERVERS [126.96.36.199/16]
alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
classtype:policy-violation; sid:1991; rev:1;)
In fact, I wonder if it would generally be better to move all the MSN rules
over into a format like that used for AIM? I *think* all MSM servers are in
that network range - then you could replace the dst port with "any" for all
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs