[Snort-sigs] rules for Jabber and Google Talk

Steven Alexander pdp11hacker at ...2420...
Mon Feb 13 11:30:01 EST 2006


I've been using the following rules for detecting Jabber and Google
Talk IM traffic.

Google Talk uses the Jabber protocol which is assigned TCP port 5222. 
The traffic is in XML format.  If anyone has other or better rules,
please share.

Thanks,

Steven

#Jabber/Google Talk traffic from the client
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"Jabber/Google Talk
Outgoing Traffic"; flow:to_server,established; content:"<stream";
offset:0; nocase; classtype:policy-violation; sid:62000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"Jabber/Google Talk
Outgoing Auth"; flow:to_server,established; content:"<auth"; offset:0;
nocase; classtype:policy-violation; sid:62001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"Google Talk
Logon"; flow:to_server,established; content:"<stream\:stream
to=\"gmail.com\""; offset:0; nocase; classtype:policy-violation;
sid:62002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"Jabber/Google Talk
Outoing Message"; flow:to_server,established; content:"<message";
offset:0; nocase; classtype:policy-violation; sid:62003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"Jabber/Google Talk
Log Out"; flow:to_server,established; content:"</stream"; offset:0;
nocase; classtype:policy-violation; sid:62006; rev:1;)


#Jabber/Google Talk traffic from the server
alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"Jabber/Google Talk
Logon Success"; flow:to_client,established; content:"<success";
offset:0; nocase; classtype:policy-violation; sid:62009; rev:1;)
alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"Jabber/Google Talk
Incoming Message"; flow:to_client,established; content:"<message";
offset:0; nocase; classtype:policy-violation; sid:62010; rev:1;)




More information about the Snort-sigs mailing list