[Snort-users] AOL Instant Messenger signature?
blake at ...319...
Tue May 1 14:42:32 EDT 2001
I spent about 30 mins playing and came up with the following:
- AIM 3.0 defaults to port 5190/tcp
- All packets we set to DF (Do not Fragment)
- The payload always started with "2A 02"
alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager - Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager - Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;)
If anyone can improve this or find any instances which cause this rule
to fail, please speak up.
The Government, like diapers, should be replaced regularly, and
often for the same reasons.
On Mon, 16 Apr 2001, Jones, Benny wrote:
> Fellow snorters...
> Is there a signature to detect AIM activity?
> I couldn't find one on www.snort.org or
> Thanks in advance.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users