[Snort-sigs] sigs for MSM via proxies

Tinsley Paul Paul.Tinsley at ...1517...
Fri Jun 20 06:19:03 EDT 2003

Just wondering, do you get this error when you start up using the rule you
Jun 20 07:54:54 xxxxxxxx snort: Warning:
/usr/local/snort/rules/local.rules(40) => Unknown keyword 'within 10' in

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...651...]
Sent: Thursday, June 19, 2003 5:44 PM
To: snort-sigs mailinglist
Subject: [Snort-sigs] sigs for MSM via proxies

Currently the MSM rules match against port 1863. However, our networks lie
behind proxies and it looks like MSM uses a Web-based API in order to route
via proxies. The proxy logs show the likes of:


Obviously that's port 80...

The following rule catches LOGIN attempts via a POST proxy

alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
classtype:policy-violation; sid:1991; rev:1;)

In fact, I wonder if it would generally be better to move all the MSN rules
over into a format like that used for AIM? I *think* all MSM servers are in
that network range - then you could replace the dst port with "any" for all
the rules...?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list