[Snort-sigs] scanning for emoticons in MSN messenger?

Eric Zheng zhengeric at ...12...
Mon May 3 03:07:06 EDT 2010

I want to see if it's possible to make a rule to look for any custom emoticon being sent over MSN messenger.  I believe this is possible since a custom emoticon image has to be sent over the network, but I'm not sure how to look for it (file type matching? but I don't know what format custom emoticons are in).  I'm new to snort rules but I have been familiarizing myself with their syntax and usage.

I believe it would be along the lines of:

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected"; <emoticon signature>;)

Where <emoticon signature> are the requisites to trigger the alert.  Port 1863 is used for MSN messenger.

Any help would be appreciated, thanks!
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100503/a8e0e7fd/attachment.html>

More information about the Snort-sigs mailing list