[Snort-sigs] scanning for emoticons in MSN messenger?

Eric Zheng zhengeric at ...12...
Mon May 3 03:07:06 EDT 2010


I want to see if it's possible to make a rule to look for any custom emoticon being sent over MSN messenger.  I believe this is possible since a custom emoticon image has to be sent over the network, but I'm not sure how to look for it (file type matching? but I don't know what format custom emoticons are in).  I'm new to snort rules but I have been familiarizing myself with their syntax and usage.

I believe it would be along the lines of:

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected"; <emoticon signature>;)

Where <emoticon signature> are the requisites to trigger the alert.  Port 1863 is used for MSN messenger.

Any help would be appreciated, thanks!
 		 	   		  
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100503/a8e0e7fd/attachment.html>


More information about the Snort-sigs mailing list