[Snort-users] AOL Instant Messenger signature?

Dan Fiorito danf at ...1406...
Tue May 1 15:38:07 EDT 2001


Many of our users where smart enough to change the default port of 5190 to
say 21.

-----Original Message-----
From: Blake Frantz [mailto:blake at ...319...]
Sent: Tuesday, May 01, 2001 2:43 PM
To: Jones, Benny
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] AOL Instant Messenger signature?



Hello,

I spent about 30 mins playing and came up with the following:

   - AIM 3.0 defaults to port 5190/tcp
   - All packets we set to DF (Do not Fragment)
   - The payload always started with "2A 02"

alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager -
Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager -
Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 

If anyone can improve this or find any instances which cause this rule
to fail, please speak up.

Blake Frantz

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Mon, 16 Apr 2001, Jones, Benny wrote:

> Fellow snorters...
> 
> Is there a signature to detect AIM activity?
> I couldn't find one on www.snort.org or
> www.whitehats.com.
> 
> Thanks in advance.
> 
> Benny
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list