[Snort-users] Rule to log Instant Messaging connections
spyguy703 at ...131...
Wed May 22 12:06:27 EDT 2002
I have a Snort IDS on my internal network. Its been
running fine and everything works great.
I am trying to create a custom rule to log certain
events. I am trying to log connections to AOL, Yahoo,
and MSN instant messaging services.
The firewall is configured to not allow ALL traffic
out. Thus, users are still connecting to these
services via ports 21, 23, and 80 which ARE allowed
OUT. Therefore, the included chat rules will not work.
How should I write a rule to detect IM services
running on thses ports?
Should I create a generic rule that logs all port 21,
23, and 80 connections to:
220.127.116.11/24 for yahoo
18.104.22.168/25 for MSN
Or is there a better approach?
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
More information about the Snort-users