<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>And as another matter of point, start to familiarize yourself with tools like wireshark.... You would be able to analyze the contents that you were trying to detect and easily identify where the issue lies... I.E. encrypted (ssl) or invalid content matches etc etc...</div><div><br></div><div>JJC<br><br>Sent from the iRoad</div><div><br>On Feb 18, 2013, at 17:33, Joel Esler <<a href="mailto:jesler@...391...935...">jesler@...1935...</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>There are commercial ssl decryptors which will pass the unencrypted traffic to Snort. <br><br><div>--</div><div><b>Joel Esler</b></div>Sent from my iPhone <span style="background-color: rgba(255, 255, 255, 0);"></span></div><div><br>On Feb 18, 2013, at 3:41 PM, Josh Bitto <<a href="mailto:jbitto@...16055...">jbitto@...16055...</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><base href="x-msg://2201/"><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">oO I didn’t know teamspeak used ssl….ok that explains a lot….<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thank you!<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m wondering why they created a rule set for tcp if the standard is in ssl….<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Dustin Webber [<a href="mailto:dustin.webber@...11827...">mailto:dustin.webber@...11827...</a>] <br><b>Sent:</b> Monday, February 18, 2013 12:39 PM<br><b>To:</b> Josh Bitto<br><b>Cc:</b> <a href="mailto:snort-users@lists.sourceforge.net">snort-users@...974...rceforge.net</a><br><b>Subject:</b> Re: [Snort-users] Snort and IM<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p> </o:p></p><div><p class="MsoNormal">Yea, that will be the same story. :(<o:p></o:p></p></div><p class="MsoNormal"><o:p> </o:p></p><div><div><p class="MsoNormal">On Feb 18, 2013, at 2:37 PM, Josh Bitto <<a href="mailto:jbitto@...16055...">jbitto@...16055...</a>> wrote:<o:p></o:p></p></div><p class="MsoNormal"><br><br><o:p></o:p></p><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Ok so what about teamspeak?</span><o:p></o:p></p></div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p></div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p></div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p></div><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Dustin Webber [mailto:dustin.webber@<a href="http://gmail.com">gmail.com</a>]<span class="apple-converted-space"> </span><br><b>Sent:</b><span class="apple-converted-space"> </span>Monday, February 18, 2013 12:36 PM<br><b>To:</b><span class="apple-converted-space"> </span>Josh Bitto<br><b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br><b>Subject:</b><span class="apple-converted-space"> </span>Re: [Snort-users] Snort and IM</span><o:p></o:p></p></div></div></div><div><p class="MsoNormal"> <o:p></o:p></p></div><div><div><p class="MsoNormal">But like I said.. facebook is over ssl by default.. so you wont see this. only the initial request.<o:p></o:p></p></div></div><div><div><p class="MsoNormal"> <o:p></o:p></p></div></div><div><p class="MsoNormal"> <o:p></o:p></p></div><div><div><div><p class="MsoNormal">On Feb 18, 2013, at 2:32 PM, Josh Bitto <<a href="mailto:jbitto@...16055..."><span style="color:purple">jbitto@...16055...</span></a>> wrote:<o:p></o:p></p></div></div><div><p class="MsoNormal"><br><br><br><o:p></o:p></p></div><div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">OH wait….hahaha…..brain fart….I see what your saying put<span class="apple-converted-space"> </span><a href="https://www.facebook.com/ajax/mercury/send_messages.php"><span style="color:purple">/ajax/mercury/send_messages.php</span></a></span><o:p></o:p></p></div></div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p></div></div><div><div><p class="MsoNormal">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://www.facebook.com/ajax/mercury/send_messages.php"><span style="color:purple">/ajax/mercury/send_messages.php</span></a></span>"; http_uri; content:"<a href="http://facebook.com"><span style="color:purple">facebook.com</span></a>"; http_header; reference:url,<a href="http://doc.emergingthreats.net/2010784"><span style="color:purple">doc.emergingthreats.net/2010784</span></a>; classtype:policy-violation; sid:2010784; rev:3;)<o:p></o:p></p></div></div><div><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p></div></div><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in"><div><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Dustin Webber [mailto:dustin.webber@<a href="http://gmail.com"><span style="color:purple">gmail.com</span></a>]<span class="apple-converted-space"> </span><br><b>Sent:</b><span class="apple-converted-space"> </span>Monday, February 18, 2013 12:28 PM<br><b>To:</b><span class="apple-converted-space"> </span>Josh Bitto<br><b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:snort-users@...2987...rge.net"><span style="color:purple">snort-users@lists.sourceforge.net</span></a><br><b>Subject:</b><span class="apple-converted-space"> </span>Re: [Snort-users] Snort and IM</span><o:p></o:p></p></div></div></div><div><div><p class="MsoNormal"> <o:p></o:p></p></div></div><div><div><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">Josh, </span><o:p></o:p></p></div></div><div><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif""> </span><o:p></o:p></p></div></div><div><div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">Looks like this rule is just out of date. The post URL I see for this is `<a href="https://www.facebook.com/ajax/mercury/send_messages.php"><span style="font-size:9.0pt;color:purple">/ajax/mercury/send_messages.php</span></a>` try that.</span><o:p></o:p></p></div></div></div><div><div><p class="MsoNormal"> <o:p></o:p></p></div></div><div><div><div><p class="MsoNormal">On Feb 18, 2013, at 2:21 PM, Josh Bitto <<a href="mailto:jbitto@...16055..."><span style="color:purple">jbitto@...16055...</span></a>> wrote:<o:p></o:p></p></div></div><div><div><p class="MsoNormal"><br><br><br><br><o:p></o:p></p></div></div><div><div><p class="MsoNormal">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"<a href="http://facebook.com"><span style="color:purple">facebook.com</span></a>"; http_header; reference:url,<a href="http://doc.emergingthreats.net/2010784"><span style="color:purple">doc.emergingthreats.net/2010784</span></a>; classtype:policy-violation; sid:2010784; rev:3;)<br><br><br><br>This rule is the one that was downloaded from<span class="apple-converted-space"> </span><a href="http://snort.org"><span style="color:purple">snort.org</span></a>....I don't have any custom rule sets.<br><br>I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it.<br><br><br><br>________________________________________<br>From: Dustin Webber [<a href="mailto:dustin.webber@...11827..."><span style="color:purple">dustin.webber@...11827...</span></a>]<br>Sent: Monday, February 18, 2013 12:18 PM<br>To: Josh Bitto<br>Cc:<span class="apple-converted-space"> </span><a href="mailto:snort-users@lists.sourceforge.net"><span style="color:purple">snort-users@lists.sourceforge.net</span></a><br>Subject: Re: [Snort-users] Snort and IM<br><br>What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain?<br><br>Anyway, lets see the rule and in sure we can get this going.<br><br>On Feb 18, 2013, at 2:04 PM, Josh Bitto <<a href="mailto:jbitto@...16055..."><span style="color:purple">jbitto@...16055...</span></a><<a href="mailto:jbitto@...16055..."><span style="color:purple">mailto:jbitto@...16055...</span></a>>> wrote:<br><br>I’m having issues where I can’t get the emerging threat rules to fire on instant messaging or logging into teamspeak 3……I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next course of action to fix the issue?<br><br><br>------------------------------------------------------------------------------<br>The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,<br>is your hub for all things parallel software development, from weekly thought<br>leadership blogs to news, videos, case studies, tutorials, tech docs,<br>whitepapers, evaluation guides, and opinion stories. Check out the most<br>recent posts - join the conversation now.<span class="apple-converted-space"> </span><a href="http://goparallel.sourceforge.net/"><span style="color:purple">http://goparallel.sourceforge.net/</span></a><br>_______________________________________________<br>Snort-users mailing list<br><a href="mailto:Snort-users@lists.sourceforge.net"><span style="color:purple">Snort-users@lists.sourceforge.net</span></a><<a href="mailto:Snort-users@lists.sourceforge.net"><span style="color:purple">mailto:Snort-users@lists.sourceforge.net</span></a>><br>Go to this URL to change user options or unsubscribe:<br><a href="https://lists.sourceforge.net/lists/listinfo/snort-users"><span style="color:purple">https://lists.sourceforge.net/lists/listinfo/snort-users</span></a><br>Snort-users list archive:<br><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users"><span style="color:purple">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</span></a><br><br>Please visit<span class="apple-converted-space"> </span><a href="http://blog.snort.org"><span style="color:purple">http://blog.snort.org</span></a><span class="apple-converted-space"> </span>to stay current on all the latest Snort news!<o:p></o:p></p></div></div></div></div></div></div></div><p class="MsoNormal"><o:p> </o:p></p></div></div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, </span><br><span>is your hub for all things parallel software development, from weekly thought </span><br><span>leadership blogs to news, videos, case studies, tutorials, tech docs, </span><br><span>whitepapers, evaluation guides, and opinion stories. Check out the most </span><br><span>recent posts - join the conversation now. <a href="http://goparallel.sourceforge.net/">http://goparallel.sourceforge.net/</a></span></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div></blockquote></div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br><span>The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, </span><br><span>is your hub for all things parallel software development, from weekly thought </span><br><span>leadership blogs to news, videos, case studies, tutorials, tech docs, </span><br><span>whitepapers, evaluation guides, and opinion stories. Check out the most </span><br><span>recent posts - join the conversation now. <a href="http://goparallel.sourceforge.net/">http://goparallel.sourceforge.net/</a></span></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@...973...et">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div></blockquote></body></html>