FW: [Snort-sigs] Looking for a Yahoo Instant Messenger rule

Snorkelpuss snort-sigs at ...898...
Tue Sep 16 07:48:07 EDT 2003


I have two rules, one for incoming and one for outgoing:

log tcp 216.136.0.0/16 5050 -> $HOME_NET any (msg:"CHATTER incoming Yahoo!";
flags:PA+; logto:"/yahoo"; content:"YMSG"; dsize:>52; content: !"TYPING";
classtype:chatter-box; rev:1;)

log tcp $HOME_NET any -> 216.136.0.0/16 5050 (msg:"CHATTER outgoing Yahoo!";
flags:PA+; logto:"/yahoo"; content:"YMSG"; dsize:>52; content: !"TYPING";
classtype:chatter-box; rev:1;)

You have too be running snort with -d switch so that it logs the packet
payload. These work very well for me. I also have a perl script to
reconstruct the dialogue from the logfile if anyone is interested.

> -----Original Message-----
> From: John Impallomeni [mailto:John.Impallomeni at ...1877...]
> Sent: Monday, September 15, 2003 5:57 PM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: [Snort-sigs] Looking for a Yahoo Instant Messenger rule
> 
> 
> 
> I am looking for a Yahoo Instant Messenger rules that captures the traffic.
> Anyone got one written? Thanks 
> 
> John Impallomeni 
> Systems Administrator 
> Sun Healthcare Group 
> (505) 468-6651 
> (505) 975-0061 Cel. 
> john.impallomeni at ...1877... 
> 





More information about the Snort-sigs mailing list