No subject


Thu Nov 23 16:34:03 EST 2017


On Thu, 2002-12-19 at 11:06, David Augros wrote:
> These have worked for me in the past, but I haven't used them for a while,
> so YMMV. I also include rules for AOL/MSN as well:
> 
> alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"Yahoo! IM Login";
> flags:PA+; content:"|706174683d2f3b20646f6d61696e3d2e|";
> classtype:null-class; rev:1;)
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"MSN IM Login";
> flags:PA+; content:"LoginTime"; classtype:null-class; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"AOL (IM) Login";
> flags:PA+; content:"AOL Instant Messenger (SM), version";
> classtype:null-class; rev:1;)
> 
> While we're at it, here are some rules that try to capture the chatter
> itself:
> 
> alert tcp 216.136.0.0/16 5050 -> $HOME_NET any (msg:"incoming Yahoo!";
> flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";
> classtype:null-class; rev:1;)
> alert tcp $HOME_NET any -> 216.136.0.0/16 5050 (msg:"outgoing Yahoo!";
> flags:PA+; content:"YMSG"; dsize:>52; content: !"TYPING";
> classtype:null-class; rev:1;)
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"incoming MSN";
> flags:PA+; content:"MSG"; content: !"TypingUser"; classtype:null-class;
> rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"outgoing MSN";
> flags:PA+; content:"MSG"; content: !"TypingUser"; classtype:null-class;
> rev:1;)
> alert tcp $HOME_NET !25 -> $EXTERNAL_NET !80 (msg:"outgoing AIM"; flags:PA+;
> content:"<BODY BGCOLOR=\"#"; classtype:null-class; rev:1;)
> alert tcp $EXTERNAL_NET !80 -> $HOME_NET !25 (msg:"incoming AIM"; flags:PA+;
> content:"<BODY BGCOLOR=\"#"; classtype:null-class; rev:1;)
> 
> I use these currently and they do work, but I'd appreciate any criticism or
> improvements (non-political criticism please, our logging policy is fully
> disclosed to our users). Now, the real challenge is grabbing file transfers
> and web based email messages from these services. I have had only limited
> success with Hotmail and Yahoo on that score, and would like to know if
> anyone else has had any luck.
> ____
> dave
> 
> -----Original Message-----
> From: spy guy [mailto:spyguy703 at ...817...]
> Sent: Thursday, December 19, 2002 12:23 PM
> To: Snort Sigs
> Subject: [Snort-sigs] Yahoo IM Client Logon
> 
> 
> Has anyone created a rule that will detect logins to the Yahoo Instant
> Messenger service?
> 
> I can come up with one myself, but was wondering if one already existed
> that works well. I am looking to get one alert per login.
> 
> Thanks.
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: Geek Gift Procrastinating?
> Get the perfect geek gift now!  Before the Holidays pass you by.
> T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> ******************************
> 
> This e-mail message, including any attachment(s), is intended only for the
> use of the individual or entity to which it is addressed and may contain
> information that is privileged and/or confidential. You are hereby notified
> that any use, dissemination, distribution and/or reproduction of this
> message and or any attachment(s) by unintended recipients is unauthorized
> and may be unlawful. Thank you for your cooperation.  
> 
> Lightship Telecom
> www.lightship.net 
> 
> ****************************** 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list