[Snort-users] MSN Chat Rule Help

Brian bmc at ...950...
Mon Dec 2 13:44:02 EST 2002


On Mon, Dec 02, 2002 at 04:24:51PM -0500, Derrick Lichti wrote:
> From: Ricardo Londoño [mailto:ricardo at ...7540...]
>> My Current Rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat access";
>> flow:to_server,established; content:"text/plain"; depth:100;
>> classtype:misc-activity; sid:540;  rev:6;)

> alert tcp any 1863 <> $HOME_NET any (msg:"MSN IM Chat Data Logged"; flags:PA;
> content:"|746578742F706C61696E|"; depth:100;)

These are the same signature, except the "official one" is a bit less crappy.
(Its still crappy and needs revisited, but less so) 

"|746578742F706C61696E|" transates to "text/plain".  The original content is
much harder to read than the plain ascii version.  The "official" rule also uses 
flow instead of flags.  I'll look at MSN messenger tonight and see what I can
come up with.

-brian




More information about the Snort-users mailing list