[Snort-users] Snort and IM

Josh Bitto jbitto at ...16055...
Mon Feb 18 16:46:32 EST 2013

It had to do with Mr. Webber's reply.

-----Original Message-----
From: waldo kitty [mailto:wkitty42 at ...14940...] 
Sent: Monday, February 18, 2013 1:27 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort and IM

On 2/18/2013 15:32, Josh Bitto wrote:
> OH wait….hahaha…..brain fart….I see what your saying put 
> /ajax/mercury/send_messages.php
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT 
> Facebook Chat (send message)"; flow:established,to_server; 
> content:"POST"; http_method; 
> content:"/ajax/mercury/send_messages.php"; http_uri; 
> content:"facebook.com <http://facebook.com>"; http_header; 
> reference:url,doc.emergingthreats.net/2010784; 
> classtype:policy-violation; sid:2010784; rev:3;)

ok, i gotta ask... what does this have to do with detecting Teamspeak 3 traffic as your original post asked about??

The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list