[Snort-sigs] sigs for MSM via proxies

Tinsley Paul Paul.Tinsley at ...1517...
Fri Jun 20 06:19:03 EDT 2003


Just wondering, do you get this error when you start up using the rule you
posted:
Jun 20 07:54:54 xxxxxxxx snort: Warning:
/usr/local/snort/rules/local.rules(40) => Unknown keyword 'within 10' in
rule!

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...651...]
Sent: Thursday, June 19, 2003 5:44 PM
To: snort-sigs mailinglist
Subject: [Snort-sigs] sigs for MSM via proxies


Currently the MSM rules match against port 1863. However, our networks lie
behind proxies and it looks like MSM uses a Web-based API in order to route
via proxies. The proxy logs show the likes of:

POST http://207.46.110.25/gateway/gateway.dll?


Obviously that's port 80...

The following rule catches LOGIN attempts via a POST proxy

var MSM_SERVERS [207.46.0.0/16]
alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
classtype:policy-violation; sid:1991; rev:1;)

In fact, I wonder if it would generally be better to move all the MSN rules
over into a format like that used for AIM? I *think* all MSM servers are in
that network range - then you could replace the dst port with "any" for all
the rules...?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list