[Snort-sigs] 1631 CHAT AIM login false positive

Terence Runge terencerunge at ...1224...
Fri May 2 15:03:00 EDT 2003


  This rule is fired when a user starts netscape mail and a mailbox is 
checked. It appears that it has become a habit of netscape to "call 
home" to port 5190 whenever netscape mail is used and "Get Msgs" is 
completed. Proof of concept from my system.

C:\>netstat -an | grep 5190
  TCP    xxx.xxx.xxx.xxx:xxxx      64.12.25.151:5190      ESTABLISHED

Search results for: 64.12.25.151

OrgName:    America Online, Inc.
OrgID:      AMERIC-158
Address:    10600 Infantry Ridge Road
City:       Manassas
StateProv:  VA
PostalCode: 20109
Country:    US

I have opted to not use AOL IM and have also disabled automatic launch 
in the browser preferences. Still, the connection is attempted, 
established and maintained, resulting in a false positive.

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; 
flow:to_server,established; content:"|2a 01|"; offset:0; d
epth:2; classtype:policy-violation; sid:1631; rev:4;)

How could this signature be revised to not fire when a user checks mail 
using netscape? Changing the destination port will not do it and will 
only result in  missing all valid and in-valid AOL IM logins.

-Terence





More information about the Snort-sigs mailing list