[Snort-users] Rule to log Instant Messaging connections

Spy Guy spyguy703 at ...131...
Wed May 22 12:06:27 EDT 2002

I have a Snort IDS on my internal network. Its been
running fine and everything works great.

I am trying to create a custom rule to log certain
events. I am trying to log connections to AOL, Yahoo,
and MSN instant messaging services.

The firewall is configured to not allow ALL traffic
out. Thus, users are still connecting to these
services via ports 21, 23, and 80 which ARE allowed
OUT. Therefore, the included chat rules will not work.

How should I write a rule to detect IM services
running on thses ports? 

Should I create a generic rule that logs all port 21,
23, and 80 connections to: for yahoo for MSN

Or is there a better approach?

Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience

More information about the Snort-users mailing list