[Snort-users] ICQ Rule

Jarret Gibson jarret at ...7313...
Tue Oct 29 13:04:02 EST 2002


Write a rule to check for UDP packets containing "icq.com" and "login".  That info is usually contained in a packet every time they log on to ICQ.  I haven't bothered with learning to write rules yet, but from what I've seen, something like this would be pretty simple.

Jarret
  ----- Original Message ----- 
  From: Derrick Lichti 
  To: snort-users at lists.sourceforge.net 
  Sent: Tuesday, October 29, 2002 3:49 PM
  Subject: RE: [Snort-users] ICQ Rule


  Preferrably evertime somebody uses ICQ. I've been pointed towards monitoring port 5190 which is a good start, unfortunately users can get around it!

   

  Thanks,
  Derrick

   

  -----Original Message-----
  From: Jarret Gibson [mailto:jarret at ...7313...]
  Sent: Tuesday, October 29, 2002 3:38 PM
  To: snort-users at lists.sourceforge.net
  Subject: Re: [Snort-users] ICQ Rule

   

  Are you wanting a snort alert rule for any time someone uses ICQ?

   

  Or are you wanting a filter rule for something like Ethereal to capture packets?

   

  Jarret

  ----- Original Message ----- 


  From: Derrick Lichti 

  To: snort-users at lists.sourceforge.net 

  Sent: Tuesday, October 29, 2002 1:59 PM

  Subject: [Snort-users] ICQ Rule

   

  Hi All;

   

  I'm looking for a rule that would grab any packets from a client using ICQ. Does anybody know of any unique information that lies in ICQ message packets? Unfortunately, I don't have a method of testing this myself or else I would have grab packets and looked.

   

  Thanks!

  Derrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021029/8b07af63/attachment.html>


More information about the Snort-users mailing list