[Snort-sigs] Snort Rule for Yahoo IM successful login

Jason Monroe "JC" monroe at ...1880...
Thu Feb 26 22:46:01 EST 2004


Hello Everybody,

I went looking for a rule to potentially measure yahoo messenger
successful logins. I searched the list Found Rule: 

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"Yahoo! IM Login"; \
flags:PA+; content:"|706174683d2f3b20646f6d61696e3d2e|"; \
rev:1;) 
(Yes this is old) I did some etherealin' and found a couple of cases
where it didn't work. 

Ethereal people will find, that the Y!Server sends its cookie (see
http://www.engr.mun.ca/~sircar/ymsg9.htm) and the author of the previous
rule makes in my opinion to be a mistake by using the cookie as the item
of interest. 

Using Ethereal I noticed that Authentication Response type? 84 was sent
from the client to the server after "you hit login :D" 

Making use of flowbits I wanted to ensure Snort saw this packet and then
the packet YAHOO SERVICE LIST which is followed by the string "Friends:
<friends_list_here>" From all of the outdated docs on this constantly
changing protocol "Friends:" was constant. Unfortunately in my case
testing under vmware Y!Messenger would re transmit sometimes, and it
seemed to be the case if you have a large enough friends list... You see
my point for using thresholding. 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Y!ahoo messenger \
login"; \
content:"|0054|";flowbits:set,logging\_in;flowbits:noalert;sid:1000099;rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Y!ahoo messenger \ 
login";content:"|0055|";content:"friends\:";nocase;flowbits:isset,logging\_in;\
threshold: type limit, track by_src, count 1, \
seconds 3; sid:1000100;rev:1;)


This was tested against Snort 2.1.1 

Please let me know if you craft / find a better rule.

Best,

JC




More information about the Snort-sigs mailing list