[Snort-sigs] 1631 CHAT AIM login false positive
terencerunge at ...1224...
Fri May 2 15:03:00 EDT 2003
This rule is fired when a user starts netscape mail and a mailbox is
checked. It appears that it has become a habit of netscape to "call
home" to port 5190 whenever netscape mail is used and "Get Msgs" is
completed. Proof of concept from my system.
C:\>netstat -an | grep 5190
TCP xxx.xxx.xxx.xxx:xxxx 22.214.171.124:5190 ESTABLISHED
Search results for: 126.96.36.199
OrgName: America Online, Inc.
Address: 10600 Infantry Ridge Road
I have opted to not use AOL IM and have also disabled automatic launch
in the browser preferences. Still, the connection is attempted,
established and maintained, resulting in a false positive.
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; d
epth:2; classtype:policy-violation; sid:1631; rev:4;)
How could this signature be revised to not fire when a user checks mail
using netscape? Changing the destination port will not do it and will
only result in missing all valid and in-valid AOL IM logins.
More information about the Snort-sigs