[Snort-users] AOL Instant Messenger signature?

Blake Frantz blake at ...319...
Tue May 1 14:42:32 EDT 2001


Hello,

I spent about 30 mins playing and came up with the following:

   - AIM 3.0 defaults to port 5190/tcp
   - All packets we set to DF (Do not Fragment)
   - The payload always started with "2A 02"

alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager - Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager - Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 

If anyone can improve this or find any instances which cause this rule
to fail, please speak up.

Blake Frantz

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Mon, 16 Apr 2001, Jones, Benny wrote:

> Fellow snorters...
> 
> Is there a signature to detect AIM activity?
> I couldn't find one on www.snort.org or
> www.whitehats.com.
> 
> Thanks in advance.
> 
> Benny
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list