[Snort-users] AOL Rule

Jim Forster jforster at ...176...
Wed Oct 24 15:02:06 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One more cleanup.  :)   This one catches ICQ2000b.
alert tcp any any <> any 5190 (msg:"ICQ"; flags:A+; content:"|2A 02|"; 
depth: 2; content:"|04|"; offset: 7; depth: 1; dsize:> 140;)


At 03:31 PM 10/24/2001, Cessna, Michael wrote:
>I cleaned the rule up a bit:
>log tcp any any -> any 5190 (msg: "AIM packet"; content:"|2A 
>02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
>log tcp any 5190 -> any any (msg: "AIM packet"; content:"|2A 
>02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
>
>If you are not using the binary logging format than you can add the 
>LOGTO:"<filename>" option to the rule to have a separate log for the rule 
>(I use binary logging so I didn't add it to the rule). Also since we are 
>checking the payload of the data packet for the |2A 02| content with a 
>depth limit, the 5190 port should not be needed......I'll have to check 
>that out.
>Anyway I'm running this rule tonight and check the log against yesterdays 
>log when I get back in tomorrow to make sure that I'm not dropping 
>anything that should be logged. After that I'll test it without the port 
>restrictions since AIM can connect on just about any port. I'm not sure 
>how much impact that will have on snort but I'll set up a test sensor and 
>find out. I'll let you know what I find.
>Mike
>-----Original Message-----
>From: Cessna, Michael [mailto:MCessna at ...3439...]
>Sent: Wednesday, October 24, 2001 4:28 PM
>To: 'Greg Robinson'; Snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] AOL Rule
>
>Aim normally connects on tcp 5190 but it can be set to communicate on any 
>port. Also the data portion of the packet starts with |2A 02|, it may also 
>start with |2A 05| but this is only for the "unknown" info message, so you 
>really don't need to capture those packets.
>
>log tcp any any -> any 5190 (content:"|2A 02|";)
>log tcp any 5190 -> any any (content:"|2A 02|";)
>If I get some time soon I'll try to clean up the rule a little bit. As it 
>sits you will get some false positives, but it will catch all the aim 
>traffic on 5190. I put this in because our execs wanted to keep a record 
>of aim traffic in case we had an info leak, but did not want to ban AIM 
>(trying to keep the employees happy :)
>Mike
>-----Original Message-----
>From: Greg Robinson [mailto:greg at ...3899...]
>Sent: Wednesday, October 24, 2001 4:24 PM
>To: Snort-users at lists.sourceforge.net
>Subject: [Snort-users] AOL Rule
>
>Has anyone ever writen a rule to log aol IM's the way the MSM im's are 
>logged to the database....some help on that would greatly be appreciated...
>
>Greg

- -----------------------------------------------------
Jim Forster
Network Administrator
RapidNet, A Golden West Company
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9c6tIm0Gn1R8/mJEQJjbgCgzD7ww5qci101ywBKOVyz6NoLj4MAniYq
iMe8Kj2lpMQ0HcD3lW0fCtl4
=UAgN
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list