[Snort-users] Rule to log Instant Messaging connections

Spy Guy spyguy703 at ...131...
Wed May 22 12:06:27 EDT 2002


I have a Snort IDS on my internal network. Its been
running fine and everything works great.

I am trying to create a custom rule to log certain
events. I am trying to log connections to AOL, Yahoo,
and MSN instant messaging services.

The firewall is configured to not allow ALL traffic
out. Thus, users are still connecting to these
services via ports 21, 23, and 80 which ARE allowed
OUT. Therefore, the included chat rules will not work.

How should I write a rule to detect IM services
running on thses ports? 

Should I create a generic rule that logs all port 21,
23, and 80 connections to:

216.136.226.0/24 for yahoo
64.4.13.128/25 for MSN
etc...?

Or is there a better approach?


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com




More information about the Snort-users mailing list