[Snort-users] RE: Snort-users digest, Vol 1 #2589 - 3 msgs

L. Christopher Luther CLuther at ...6333...
Mon Dec 16 12:33:07 EST 2002

In answer to your question:  

1) Presuming that AIM only uses TCP port 5190 and is not proxied, then yes,
the rule you note below will generate a Snort alert for all AIM packets it

2) As I just noted above, Snort will generate an alert, and depending on
logging facility you use, Snort will either log the entire contents of the
*packet* or just some high-level information.  You may want to consider
making the AIM rule only a logging rule (i.e., "log tcp any any -> any
5190") to avoid getting overrun my alerts generated by AIM traffic.  Unless
of course, you actually want those alerts  ;)  

3) And no, the rule will not capture the whole AIM conversation.  Though I
imaging that is would be possible to use binary logging or the unified log
facility and some sort of post processor to piece together all of AIM
packets captured and reconstruct the AIM conversation.  

4) Yes, create a .rules file (or use the local.rules) and make reference to
it in the snort.conf file.  

- Christopher

-----Original Message-----
From: "Shafer, Troy" <tshafer at ...7761...>
To: "'snort-users at lists.sourceforge.net'"
	 <snort-users at lists.sourceforge.net>
Date: Mon, 16 Dec 2002 14:57:42 -0500
Subject: [Snort-users] another question

I found this code on the net for logging aim traffic...

alert tcp any any -> any 5190 (msg:"AIM Message"; content:"HTML";)

my first question, does this actually log the content of the messages and
two how would I implement this with snort... write a .rules file... then put
and include in the the snort.conf?  Still trying to figure this snort thing

Troy Shafer
Network Engineer
Laurel County Schools
tshafer at ...7761...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021216/e4bcdf5c/attachment.html>

More information about the Snort-users mailing list