[Snort-users] ICQ 2000 Siganture and firewall config

Dragos Ruiu dr at ...50...
Thu Oct 19 01:16:08 EDT 2000


On Wed, 18 Oct 2000, Erick Arturo Perez Huemer wrote:
> As of version 2000a and 2000b of ICQ. The program now has a section called
> "Connection" under Preferences that allows you to select "autoconfigure
> ICQ".
> I noticed this because one of my users was running ICQ on his computer and I
> was surprised since I blocked all and allowed only certain traffic.My
> surprise came when I noticed that ICQ is using port tcp 21 (automatically
> configured) to perform connections. Obviously port 21 is open in my ipchains
> rule because I need users to ftp outside sometimes...
> 
> Anyone knows a signature for ICQ so at least my IDS (Snort) can tell me whos
> using it?

The ICQ protocol description site at: 

http://www.d.kth.se/~d95-mih/icq/

...May be of assistance to you on your quest. ;)

But I'm sure others might be interested too, (myself included)
so if you do come up with something here, please post back
with your rules...

cheers,
--dr


-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list