[Snort-sigs] Snort Rule for Yahoo IM successful login

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Fri Feb 27 07:48:10 EST 2004


Jason,

Here is the signature that I developed that works very well for me. I
havn't found any false positives. I included my MSN messenger sig as well.
Let me know if it works for you.

# Custom MSN detection rule (MS 10/28/03)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MSN Messenger";
content: "application/x-msn-messenger"; content: "/gateway/gate
way.dll?"; classtype:policy-violation; threshold: type threshold, track
by_dst, count 20, seconds 60; sid:10000501;  rev:6;)
# Custom Yahoo Messenger detection rule (MS 10/28/03)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Yahoo Messenger";
content:"YMSG"; threshold: type threshold, track by_dst, coun
t 10, seconds 60;classtype:policy-violation; sid:10000502;  rev:6;)


                                                                                                                                                 
                      "Jason Monroe \"JC\""                                                                                                      
                      <monroe at ...1880...>              To:       snort-sigs at lists.sourceforge.net                                              
                      Sent by:                           cc:                                                                                     
                      snort-sigs-admin at ...551...        Subject:  [Snort-sigs] Snort Rule for Yahoo IM successful login                         
                      ceforge.net                                                                                                                
                                                                                                                                                 
                                                                                                                                                 
                      02/27/2004 12:34 AM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 




Hello Everybody,

I went looking for a rule to potentially measure yahoo messenger
successful logins. I searched the list Found Rule:

alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"Yahoo! IM Login"; \
flags:PA+; content:"|706174683d2f3b20646f6d61696e3d2e|"; \
rev:1;)
(Yes this is old) I did some etherealin' and found a couple of cases
where it didn't work.

Ethereal people will find, that the Y!Server sends its cookie (see
http://www.engr.mun.ca/~sircar/ymsg9.htm) and the author of the previous
rule makes in my opinion to be a mistake by using the cookie as the item
of interest.

Using Ethereal I noticed that Authentication Response type? 84 was sent
from the client to the server after "you hit login :D"

Making use of flowbits I wanted to ensure Snort saw this packet and then
the packet YAHOO SERVICE LIST which is followed by the string "Friends:
<friends_list_here>" From all of the outdated docs on this constantly
changing protocol "Friends:" was constant. Unfortunately in my case
testing under vmware Y!Messenger would re transmit sometimes, and it
seemed to be the case if you have a large enough friends list... You see
my point for using thresholding.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Y!ahoo messenger \
login"; \
content:"|0054|";flowbits:set,logging\_in;flowbits:noalert;sid:1000099;rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Y!ahoo messenger \
login";content:"|0055|";content:"friends\:";nocase;flowbits:isset,logging\_in;\
threshold: type limit, track by_src, count 1, \
seconds 3; sid:1000100;rev:1;)


This was tested against Snort 2.1.1

Please let me know if you craft / find a better rule.

Best,

JC


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs









More information about the Snort-sigs mailing list