Snort mailing list archives
Re: rule for yahoo messenger
From: Erek Adams <erek () snort org>
Date: Wed, 30 Jul 2003 11:08:15 -0400 (EDT)
On Tue, 29 Jul 2003, [iso-8859-1] Always Bishan wrote:
Does anybody know a snort rule to detect yahoo messenger? I googled but could not find. Many of you must be having a rule to detect Yahoo messenger, please do send me.
As Scott has said, check the docs. It's amazing the wealth of information that's in them. Here's five simple steps to build your rule. 1) Download and install the Yahoo IM client on a test box. 2) Start a binary packet log on a machine that can see the test box's traffic. snort -b 'host <test box>' 3) Login, send a msg, logout, login, send a msg, logout. 4) Stop the capture. 5) Read over the binary logs and see what you can find that's common to the YIM info. snort -qdvr <file> | less (or 'more' depending on OS) It's not too hard. It just takes a bit of work. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule for yahoo messenger Always Bishan (Jul 29)
- RE: rule for yahoo messenger ScottRenna (Jul 29)
- Re: rule for yahoo messenger Erek Adams (Jul 30)
- <Possible follow-ups>
- Re: rule for yahoo messenger Joe Stevensen (Jul 30)