[Snort-users] Snort and IM

Dustin Webber dustin.webber at ...11827...
Mon Feb 18 15:28:28 EST 2013


Looks like this rule is just out of date. The post URL I see for this is `/ajax/mercury/send_messages.php` try that.

On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto at ...16055...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;)
> This rule is the one that was downloaded from snort.org....I don't have any custom rule sets.
> I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it.
> ________________________________________
> From: Dustin Webber [dustin.webber at ...11827...]
> Sent: Monday, February 18, 2013 12:18 PM
> To: Josh Bitto
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort and IM
> What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain?
> Anyway, lets see the rule and in sure we can get this going.
> On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto at ...16055...<mailto:jbitto at ...16055...>> wrote:
> I’m having issues where I can’t get the emerging threat rules to fire on instant messaging or logging into teamspeak 3……I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next course of action to fix the issue?
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130218/fd37ebd0/attachment.html>

More information about the Snort-users mailing list