[Snort-sigs] Looking for a Yahoo Instant Messenger rule

Jade E. Deane jade.deane at ...1778...
Mon Sep 15 17:28:11 EDT 2003


If I'm not mistaken, the Yahoo! messaging client uses destination TCP
5050 (not sure on source, looks to typical stack chosen random):

19:23:05.073722 host.32798 > cs50.msg.sc5.yahoo.com.5050: P 86:154(68)
ack 1 win 8050 <nop,nop,timestamp 533330 3543413278> (DF)
0x0000   4500 0078 8c20 4000 4006 299b c0a8 020a        E..x.. at ...180...@.).....
0x0010   d888 e989 801e 13ba 2aee b653 cdf5 8304        ........*..S....
0x0020   8018 1f72 dbdb 0000 0101 080a 0008 2352        ...r..........#R
0x0030   d334 321e 594d 5347 0900 0000 0030 0006        .42.YMSG.....0..
0x0040   5a55 aa56 0000 0000 31c0 806a 6c61 6b77        ZU.V....1..jlakw
0x0050   3355                                           55

You should be good with a simple rule that catches anything destined to
TCP 5050, and perhaps kicking off a tcpdump based on the source and
destiion after the first SYNC.

Regards,
Jade

On Mon, 2003-09-15 at 16:56, John Impallomeni wrote:
> I am looking for a Yahoo Instant Messenger rules that captures the
> traffic. Anyone got one written? Thanks
> 
> John Impallomeni
> Systems Administrator
> Sun Healthcare Group
> (505) 468-6651
> (505) 975-0061 Cel.
> john.impallomeni at ...1877...
> 
> Information contained in this e-mail and any attachments thereto is
> intended solely for use of the recipient(s) named above and may be
> privileged, confidential, and/or proprietary. If you are not the
> intended recipient, please do not read, distribute, or reproduce this
> transmission. You are advised that unauthorized use of this e-mail by
> any unintended recipient may be unlawful and could subject the user to
> civil damages and other penalties. If you have received this e-mail
> transmission in error, please notify the sender immediately by reply
> e-mail and then delete this e-mail. Thank you.
-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030915/7fae4139/attachment.sig>


More information about the Snort-sigs mailing list