[Snort-users] IM Logging - How to?

Ricardo Londoño ricardo at ...7540...
Fri Jan 17 11:17:36 EST 2003


The following works for AIM.

Logs AIM Logins
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; depth:2;
classtype:policy-violation; sid:1631; rev:4;)

Logs sent messages:
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message";
flow:to_server,established; content:"|2a 02|"; offset:0; depth:2;
content:"|00 04 00 06|"; offset:6; depth:4; classtype:policy-violation;
sid:1632; rev:4;)

Logs received messages:
alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM recieve message";
flow:to_client; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00
07|"; offset:6; depth:4; classtype:policy-violation; sid:1633; rev:3;)


Ricardo



----- Original Message -----
From: "Mike Shaw" <mshaw at ...3165...>
To: "Matt Yackley" <Matt.Yackley at ...5858...>; "'Angel Gabriel'"
<badmangabriel at ...8025...>; <snort-users at lists.sourceforge.net>
Sent: Friday, January 17, 2003 12:26 PM
Subject: RE: [Snort-users] IM Logging - How to?


> At 11:44 AM 1/17/2003 -0600, Matt Yackley wrote:
> >I believe that there is an IM capture util included with dsniff
> >http://naughty.monkey.org/~dugsong/dsniff/ called msgsnarf, but since
this
> >package is a bit old I don't know how well it would work.
> >
> >Matt
>
> I haven't had much luck with msgsnarf.  It seems the products and
protocols
> might have changed since then.
>
> I've used ngrep to snag IM transactions before.  I think AIM is port
> 5190.  MSN is a different port (can't remember).
>
> IIRC, yahoo's messenger uses http and is much harder to track states,
> etc.  Maybe someone else has had better luck.
>
> -Mike
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> allow you to extend the highest allowed 128 bit encryption to all your
> clients even if they use browsers that are limited to 40 bit encryption.
> Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>






More information about the Snort-users mailing list