[Snort-users] Snort and IM

James Lay jlay at ...13475...
Mon Feb 18 15:39:10 EST 2013


Josh,

This is an Emerging Threats rule.  Also, I suspect that your session is 
going https, which means this rule won't see it.

James

On 2013-02-18 13:32, Josh Bitto wrote:
> OH wait….hahaha…..brain fart….I see what your saying put
> /ajax/mercury/send_messages.php [1]
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT
> Facebook Chat (send message)"; flow:established,to_server;
> content:"POST"; http_method; content:"/ajax/mercury/send_messages.php
> [2]"; http_uri; content:"facebook.com [3]"; http_header;
> reference:url,doc.emergingthreats.net/2010784 [4];
> classtype:policy-violation; sid:2010784; rev:3;)
>
> FROM: Dustin Webber [mailto:dustin.webber at ...11827...]
> SENT: Monday, February 18, 2013 12:28 PM
> TO: Josh Bitto
> CC: snort-users at lists.sourceforge.net
> SUBJECT: Re: [Snort-users] Snort and IM
>
> Josh,
>
> Looks like this rule is just out of date. The post URL I see for this
> is `/ajax/mercury/send_messages.php [5]` try that.
>
> On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto at ...16055... [6]>
> wrote:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT
> Facebook Chat (send message)"; flow:established,to_server;
> content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri;
> content:"facebook.com [7]"; http_header;
> reference:url,doc.emergingthreats.net/2010784 [8];
> classtype:policy-violation; sid:2010784; rev:3;)
>
> This rule is the one that was downloaded from snort.org [9]....I 
> don't
> have any custom rule sets.
>
> I'm able to go to facebook chat and chat up a storm with someone I
> know and I don't even get an alert on it.
>
> ________________________________________
> From: Dustin Webber [dustin.webber at ...11827... [10]]
> Sent: Monday, February 18, 2013 12:18 PM
> To: Josh Bitto
> Cc: snort-users at lists.sourceforge.net [11]
> Subject: Re: [Snort-users] Snort and IM
>
> What does your rule look like. Also, isn't that ssl traffic? Are you
> looking for connections to a certain domain?
>
> Anyway, lets see the rule and in sure we can get this going.
>
> On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto at ...16055...
> [12]<mailto:jbitto at ...16055... [13]>> wrote:
>
> I'm having issues where I can't get the emerging threat rules to fire
> on instant messaging or logging into teamspeak 3……I know that both
> my WAN and LAN are working because of other tests that I have
> conducted. Any ideas on my next course of action to fix the issue?
>
> 
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with
> Geeknet,
> is your hub for all things parallel software development, from weekly
> thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the
> most
> recent posts - join the conversation now.
> http://goparallel.sourceforge.net/ [14]
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> [15]<mailto:Snort-users at lists.sourceforge.net [16]>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users [17]
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> [18]
>
> Please visit http://blog.snort.org [19] to stay current on all the
> latest Snort news!
>
>
>
> Links:
> ------
> [1] https://www.facebook.com/ajax/mercury/send_messages.php
> [2] https://www.facebook.com/ajax/mercury/send_messages.php
> [3] http://facebook.com
> [4] http://doc.emergingthreats.net/2010784
> [5] https://www.facebook.com/ajax/mercury/send_messages.php
> [6] mailto:jbitto at ...16055...
> [7] http://facebook.com
> [8] http://doc.emergingthreats.net/2010784
> [9] http://snort.org
> [10] mailto:dustin.webber at ...11827...
> [11] mailto:snort-users at lists.sourceforge.net
> [12] mailto:jbitto at ...16055...
> [13] mailto:jbitto at ...16055...
> [14] http://goparallel.sourceforge.net/
> [15] mailto:Snort-users at lists.sourceforge.net
> [16] mailto:Snort-users at lists.sourceforge.net
> [17] https://lists.sourceforge.net/lists/listinfo/snort-users
> [18] 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> [19] http://blog.snort.org





More information about the Snort-users mailing list