[Snort-users] rule for yahoo messenger

Erek Adams erek at ...950...
Wed Jul 30 08:09:10 EDT 2003

On Tue, 29 Jul 2003, [iso-8859-1] Always Bishan wrote:

> Does anybody know a snort rule to detect yahoo
> messenger?
> I googled but could not find.
> Many of you must be having a rule to detect Yahoo
> messenger, please do send me.

As Scott has said, check the docs.  It's amazing the wealth of information
that's in them.

Here's five simple steps to build your rule.

1)  Download and install the Yahoo IM client on a test box.

2)  Start a binary packet log on a machine that can see the test box's

	snort -b 'host <test box>'

3)  Login, send a msg, logout, login, send a msg, logout.

4)  Stop the capture.

5)  Read over the binary logs and see what you can find that's common to
the YIM info.

	snort -qdvr <file> | less      (or 'more' depending on OS)

It's not too hard.  It just takes a bit of work.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list