Snort mailing list archives
Re: rule for Yahoo or Hotmail messengers
From: "Imran William Smith" <iwsmith () mimos my>
Date: Mon, 17 Jun 2002 18:01:01 +0800
Note: in future queries like this belong in snort-sigs group. For Yahoo I built the following rules, but have not tested them much yet. In particular, I was worried about message transfers - much more dangerous than just people talking.... Only the original connect to Yahoo should be flagged, not every single message, to reduce the amount of data logged. You'll have to allocate your own sids. alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000001; rev:1;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000003; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;) -- Imran William Smith Security Products Development Mimos Bhd, Malaysia ----- Original Message ----- From: "Ronneil Camara" <ronneilc () remingtonltd com> To: <snort-users () lists sourceforge net> Sent: Monday, June 17, 2002 2:11 PM Subject: [Snort-users] rule for Yahoo or Hotmail messengers | Does anyone have a rule to detect logins to yahoo or hotmail messengers | and if using port 80? | | Adding a rule based on destination address is easy. But I was hoping | that someone has already created a rule based on a sniffed packet | of yahoo or hotmail traffic headers. (Sorta content filtering approach) | | Thanks in advance. | | Neil | | _______________________________________________________________ | | Sponsored by: | ThinkGeek at http://www.ThinkGeek.com/ | _______________________________________________ | Snort-users mailing list | Snort-users () lists sourceforge net | Go to this URL to change user options or unsubscribe: | https://lists.sourceforge.net/lists/listinfo/snort-users | Snort-users list archive: | http://www.geocrawler.com/redir-sf.php3?list | _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule for Yahoo or Hotmail messengers Ronneil Camara (Jun 16)
- Re: rule for Yahoo or Hotmail messengers Imran William Smith (Jun 17)