[Snort-users] AOL Instant Messenger signature?
danf at ...1406...
Tue May 1 15:38:07 EDT 2001
Many of our users where smart enough to change the default port of 5190 to
From: Blake Frantz [mailto:blake at ...319...]
Sent: Tuesday, May 01, 2001 2:43 PM
To: Jones, Benny
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] AOL Instant Messenger signature?
I spent about 30 mins playing and came up with the following:
- AIM 3.0 defaults to port 5190/tcp
- All packets we set to DF (Do not Fragment)
- The payload always started with "2A 02"
alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager -
Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager -
Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;)
If anyone can improve this or find any instances which cause this rule
to fail, please speak up.
The Government, like diapers, should be replaced regularly, and
often for the same reasons.
On Mon, 16 Apr 2001, Jones, Benny wrote:
> Fellow snorters...
> Is there a signature to detect AIM activity?
> I couldn't find one on www.snort.org or
> Thanks in advance.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users