[Snort-users] rule for Yahoo or Hotmail messengers

Imran William Smith iwsmith at ...487...
Mon Jun 17 03:02:12 EDT 2002


Note: in future queries like this belong in snort-sigs group.

For Yahoo I built the following rules, but have not tested them much yet.
In particular, I was worried about message transfers - much more
dangerous than just people talking....

Only the original connect to Yahoo should be flagged, not every single message,
to reduce the amount of data logged.

You'll have to allocate your own sids.



alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content:
"YMSG"; classtype:misc-activity; sid:1000001; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content:
"domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content:
"YMSG"; classtype:misc-activity; sid:1000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content:
"FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)




--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message ----- 
From: "Ronneil Camara" <ronneilc at ...4042...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, June 17, 2002 2:11 PM
Subject: [Snort-users] rule for Yahoo or Hotmail messengers


| Does anyone have a rule to detect logins to yahoo or hotmail messengers
| and if using port 80?
| 
| Adding a rule based on destination address is easy. But I was hoping
| that someone has already created a rule based on a sniffed packet
| of yahoo or hotmail traffic headers. (Sorta content filtering approach)
| 
| Thanks in advance.
| 
| Neil
| 
| _______________________________________________________________
| 
| Sponsored by:
| ThinkGeek at http://www.ThinkGeek.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list
| 





More information about the Snort-users mailing list