[Snort-users] Snort and IM

Dustin Webber dustin.webber at ...11827...
Mon Feb 18 15:36:18 EST 2013


But like I said.. facebook is over ssl by default.. so you wont see this. only the initial request.


On Feb 18, 2013, at 2:32 PM, Josh Bitto <jbitto at ...16055...> wrote:

> OH wait….hahaha…..brain fart….I see what your saying put /ajax/mercury/send_messages.php
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/mercury/send_messages.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;)
>  
> From: Dustin Webber [mailto:dustin.webber at ...11827...] 
> Sent: Monday, February 18, 2013 12:28 PM
> To: Josh Bitto
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort and IM
>  
> Josh, 
>  
> Looks like this rule is just out of date. The post URL I see for this is `/ajax/mercury/send_messages.php` try that.
>  
> On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto at ...16055...> wrote:
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;)
> 
> 
> 
> This rule is the one that was downloaded from snort.org....I don't have any custom rule sets.
> 
> I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it.
> 
> 
> 
> ________________________________________
> From: Dustin Webber [dustin.webber at ...11827...]
> Sent: Monday, February 18, 2013 12:18 PM
> To: Josh Bitto
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort and IM
> 
> What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain?
> 
> Anyway, lets see the rule and in sure we can get this going.
> 
> On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto at ...16055...<mailto:jbitto at ...16055...>> wrote:
> 
> I’m having issues where I can’t get the emerging threat rules to fire on instant messaging or logging into teamspeak 3……I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next course of action to fix the issue?
> 
> 
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130218/3f206073/attachment.html>


More information about the Snort-users mailing list