[Snort-users] Snort and IM

waldo kitty wkitty42 at ...14940...
Mon Feb 18 16:27:22 EST 2013


On 2/18/2013 15:32, Josh Bitto wrote:
> OH wait….hahaha…..brain fart….I see what your saying put
> /ajax/mercury/send_messages.php
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat
> (send message)"; flow:established,to_server; content:"POST"; http_method;
> content:"/ajax/mercury/send_messages.php"; http_uri;
> content:"facebook.com <http://facebook.com>"; http_header;
> reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation;
> sid:2010784; rev:3;)

ok, i gotta ask... what does this have to do with detecting Teamspeak 3 traffic 
as your original post asked about??





More information about the Snort-users mailing list