[Snort-sigs] sigs for MSM via proxies

Ciprian Badescu ciprian.badescu at ...1623...
Fri Jun 20 07:06:21 EDT 2003


Hi,

The error it's normal:

 content:" MD5 I "; within 10;classtype:policy-violation;

with missing ":" after within.

--
______V______   Ciprian Badescu
A L C A T E L   Mobile Networks Division R&D Center
Phone: +40 56 303100 (ext. 5786)
Fax: +40 56 295386
Email: Ciprian.Badescu at ...1623...

On Fri, 20 Jun 2003, Tinsley Paul wrote:

> Date: Fri, 20 Jun 2003 08:15:22 -0500
> From: Tinsley Paul <Paul.Tinsley at ...1515...>
> To: 'Jason Haar' <Jason.Haar at ...651...>,
>      snort-sigs mailinglist <Snort-sigs at lists.sourceforge.net>
> Subject: RE: [Snort-sigs] sigs for MSM via proxies
>
> Just wondering, do you get this error when you start up using the rule you
> posted:
> Jun 20 07:54:54 xxxxxxxx snort: Warning:
> /usr/local/snort/rules/local.rules(40) => Unknown keyword 'within 10' in
> rule!
>
> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar at ...651...]
> Sent: Thursday, June 19, 2003 5:44 PM
> To: snort-sigs mailinglist
> Subject: [Snort-sigs] sigs for MSM via proxies
>
>
> Currently the MSM rules match against port 1863. However, our networks lie
> behind proxies and it looks like MSM uses a Web-based API in order to route
> via proxies. The proxy logs show the likes of:
>
> POST http://207.46.110.25/gateway/gateway.dll?
>
>
> Obviously that's port 80...
>
> The following rule catches LOGIN attempts via a POST proxy
>
> var MSM_SERVERS [207.46.0.0/16]
> alert tcp $HOME_NET any -> $MSM_SERVERS 80 (msg:"CHAT MSN login attempt";
> flow:to_server,established; content:"USR "; content:" MD5 I "; within 10;
> classtype:policy-violation; sid:1991; rev:1;)
>
> In fact, I wonder if it would generally be better to move all the MSN rules
> over into a format like that used for AIM? I *think* all MSM servers are in
> that network range - then you could replace the dst port with "any" for all
> the rules...?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list