[Snort-users] AOL Instant Messenger signature?

Dr SuSE drsuse at ...748...
Tue May 1 16:23:46 EDT 2001


I wouldnt use a rule that would rely on a specific port but rather one that is 
based on a connection to login.oscar.aol.com which is the server AIM users have 
to connect to in order to make AIM work.  

I use to have some info on all many of the chat clients in use today such as 
ports used and login servers.  I'll see if I can dig that info up.

You might want to simply block outbound traffic to login.oscar.aol.com at the 
firewall.

An AIM rule would be more a rule used to enforce a site security policy or 
network usage policy.  Does anyone have any thoughts as to perhaps building 
some policy type rules which would be seperate of exploit/malicious traffic 
rules?  I'm sure someone might find it useful.

> Many of our users where smart enough to change the default port of 5190 to
> say 21.
> 
> -----Original Message-----
> From: Blake Frantz [mailto:blake at ...319...]
> Sent: Tuesday, May 01, 2001 2:43 PM
> To: Jones, Benny
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] AOL Instant Messenger signature?
> 
> 
> 
> Hello,
> 
> I spent about 30 mins playing and came up with the following:
> 
>    - AIM 3.0 defaults to port 5190/tcp
>    - All packets we set to DF (Do not Fragment)
>    - The payload always started with "2A 02"
> 
> alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager -
> Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager -
> Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
> 
> If anyone can improve this or find any instances which cause this rule
> to fail, please speak up.
> 
> Blake Frantz
> 
> ================================================================= 
> The Government, like diapers, should be replaced regularly, and
> often for the same reasons. 
> 
> On Mon, 16 Apr 2001, Jones, Benny wrote:
> 
> > Fellow snorters...
> > 
> > Is there a signature to detect AIM activity?
> > I couldn't find one on www.snort.org or
> > www.whitehats.com.
> > 
> > Thanks in advance.
> > 
> > Benny
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/






More information about the Snort-users mailing list