[Snort-users] AOL Rule

Cessna, Michael MCessna at ...3439...
Wed Oct 24 13:33:08 EDT 2001

Aim normally connects on tcp 5190 but it can be set to communicate on any
port. Also the data portion of the packet starts with |2A 02|, it may also
start with |2A 05| but this is only for the "unknown" info message, so you
really don't need to capture those packets.
log tcp any any -> any 5190 (content:"|2A 02|";)
log tcp any 5190 -> any any (content:"|2A 02|";)

If I get some time soon I'll try to clean up the rule a little bit. As it
sits you will get some false positives, but it will catch all the aim
traffic on 5190. I put this in because our execs wanted to keep a record of
aim traffic in case we had an info leak, but did not want to ban AIM (trying
to keep the employees happy :)

-----Original Message-----
From: Greg Robinson [mailto:greg at ...3899...]
Sent: Wednesday, October 24, 2001 4:24 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] AOL Rule

Has anyone ever writen a rule to log aol IM's the way the MSM im's are
logged to the database....some help on that would greatly be appreciated...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011024/393713c3/attachment.html>

More information about the Snort-users mailing list