Snort mailing list archives
RE: AOL Rule
From: Jim Forster <jforster () rapidnet com>
Date: Wed, 24 Oct 2001 16:03:32 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One more cleanup. :) This one catches ICQ2000b. alert tcp any any <> any 5190 (msg:"ICQ"; flags:A+; content:"|2A 02|"; depth: 2; content:"|04|"; offset: 7; depth: 1; dsize:> 140;) At 03:31 PM 10/24/2001, Cessna, Michael wrote:
I cleaned the rule up a bit: log tcp any any -> any 5190 (msg: "AIM packet"; content:"|2A 02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;) log tcp any 5190 -> any any (msg: "AIM packet"; content:"|2A 02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;) If you are not using the binary logging format than you can add the LOGTO:"<filename>" option to the rule to have a separate log for the rule (I use binary logging so I didn't add it to the rule). Also since we are checking the payload of the data packet for the |2A 02| content with a depth limit, the 5190 port should not be needed......I'll have to check that out. Anyway I'm running this rule tonight and check the log against yesterdays log when I get back in tomorrow to make sure that I'm not dropping anything that should be logged. After that I'll test it without the port restrictions since AIM can connect on just about any port. I'm not sure how much impact that will have on snort but I'll set up a test sensor and find out. I'll let you know what I find. Mike -----Original Message----- From: Cessna, Michael [mailto:MCessna () rtm com] Sent: Wednesday, October 24, 2001 4:28 PM To: 'Greg Robinson'; Snort-users () lists sourceforge net Subject: RE: [Snort-users] AOL Rule Aim normally connects on tcp 5190 but it can be set to communicate on any port. Also the data portion of the packet starts with |2A 02|, it may also start with |2A 05| but this is only for the "unknown" info message, so you really don't need to capture those packets. log tcp any any -> any 5190 (content:"|2A 02|";) log tcp any 5190 -> any any (content:"|2A 02|";) If I get some time soon I'll try to clean up the rule a little bit. As it sits you will get some false positives, but it will catch all the aim traffic on 5190. I put this in because our execs wanted to keep a record of aim traffic in case we had an info leak, but did not want to ban AIM (trying to keep the employees happy :) Mike -----Original Message----- From: Greg Robinson [mailto:greg () diverdown cc] Sent: Wednesday, October 24, 2001 4:24 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] AOL Rule Has anyone ever writen a rule to log aol IM's the way the MSM im's are logged to the database....some help on that would greatly be appreciated... Greg
- ----------------------------------------------------- Jim Forster Network Administrator RapidNet, A Golden West Company - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9c6tIm0Gn1R8/mJEQJjbgCgzD7ww5qci101ywBKOVyz6NoLj4MAniYq iMe8Kj2lpMQ0HcD3lW0fCtl4 =UAgN -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AOL Rule Greg Robinson (Oct 24)
- <Possible follow-ups>
- RE: AOL Rule Cessna, Michael (Oct 24)
- RE: AOL Rule Cessna, Michael (Oct 24)
- RE: AOL Rule Jim Forster (Oct 24)