[Snort-sigs] scanning for emoticons in MSN messenger?

Joel Esler jesler at ...435...
Mon May 3 08:38:48 EDT 2010


Eric,

You'd have to grab a pcap of traffic to see what format the emoticon is in.
 Then you could write a simple content signature.

Joel

On Mon, May 3, 2010 at 3:07 AM, Eric Zheng <zhengeric at ...12...> wrote:

>  I want to see if it's possible to make a rule to look for any custom
> emoticon being sent over MSN messenger.  I believe this is possible since a
> custom emoticon image has to be sent over the network, but I'm not sure how
> to look for it (file type matching? but I don't know what format custom
> emoticons are in).  I'm new to snort rules but I have been familiarizing
> myself with their syntax and usage.
>
> I believe it would be along the lines of:
>
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected";
> <emoticon signature>;)
>
> Where <emoticon signature> are the requisites to trigger the alert.  Port
> 1863 is used for MSN messenger.
>
> Any help would be appreciated, thanks!
>
> ------------------------------
> The New Busy is not the too busy. Combine all your e-mail accounts with
> Hotmail. Get busy.<http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100503/28101917/attachment.html>


More information about the Snort-sigs mailing list