[Snort-users] ICQ 2000 Siganture and firewall config

Erik Engberg Erik.Engberg at ...511...
Thu Oct 19 12:33:25 EDT 2000

IMHO its not just ICQ that is starting to do "ugly" tricks to be able to get
past firewalls. All sorts of userland utilities for
chat/filesharing/godknowswhat are out there and they more and more work like
backdoors into your network. Every so often a vulnerability comes along that
lets outside people take over an ICQ/IRC/Napster machine on you network. And
if they are not already available, they will be soon enough. I never heard
of any userland-free-utility-makers following secure programming
practises... Even if they do, the issue is never up.

This is IMHO a dangerous security hazard and the more we try to block the
worse it gets as the utility makers find new ways to obscure the traffic.
Not even an http only cache proxy is enough these days (although it helps a
lot ;).

They allow your users to do things they are not (usually) allowed and about
the only two ways to get to this is user education/company policy (This is
dangerous!) and half-effective IDS signatures.

I for one wouldn´t be disappointed if a comprehensive set of sigs to detect
these programs became available ;). But someone´s gotta do it... So please,
you who take the time to research and make these rules, post ´em back. They
ARE interesting for the rest of us (I gather).

Virii, backdoors, ddos, userland utilities... the lines between them are
blurring more and more.


-----Original Message-----
From: Dragos Ruiu [mailto:dr at ...50...]
Sent: den 19 oktober 2000 07:16
To: eperez at ...637...; Erick Arturo Perez Huemer;
snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ICQ 2000 Siganture and firewall config

On Wed, 18 Oct 2000, Erick Arturo Perez Huemer wrote:
> As of version 2000a and 2000b of ICQ. The program now has a section called
> "Connection" under Preferences that allows you to select "autoconfigure
> ICQ".
> I noticed this because one of my users was running ICQ on his computer and
> was surprised since I blocked all and allowed only certain traffic.My
> surprise came when I noticed that ICQ is using port tcp 21 (automatically
> configured) to perform connections. Obviously port 21 is open in my
> rule because I need users to ftp outside sometimes...
> Anyone knows a signature for ICQ so at least my IDS (Snort) can tell me
> using it?

The ICQ protocol description site at: 


...May be of assistance to you on your quest. ;)

But I'm sure others might be interested too, (myself included)
so if you do come up with something here, please post back
with your rules...


Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the
gpg/pgp key on file at wwwkeys.pgp.net
Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list