[Snort-sigs] Yahoo IM web logon attempt

William_Metcalf at ...1445... William_Metcalf at ...1445...
Thu Feb 19 06:37:07 EST 2004


Below is a simple rule for detecting Yahoo IM traffic being forced over 
http.  In other words, If you are doing egress filtering and your users do 
not have access to the standard Yahoo IM ports. Yahoo IM will 
automatically reconfigure itself to use port 80.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Yahoo IM web 
logon attempt"; flow:to_server,established; content:"POST"; 
content:"/notify"; content:"YMSG"; nocase; classtype:policy-violation; 
sid:10000; rev:3;)

Regards,

Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040219/af42c62d/attachment.html>


More information about the Snort-sigs mailing list