Snort mailing list archives
Snort rule for AIM fire transfers?
From: "Michael Janke" <Michael.Janke () csu mnscu edu>
Date: Fri, 10 Oct 2003 10:41:57 -0500
We'd like to have a rule that flags AOL/AIM file transfers. Our IM policy is that it is OK to use IM, but not OK to use IM for file xfers. So far I've got: 1) Ports: xfers are random tcp >1024 2) Endpoints xfer directly between each other w/o oscar servers involved. 3) There seems to be a consistant set of bytes in the payload, based on testing of one client. Here is a packet, with the TCP payload starting with '4f46 5432' 48: 6270 adcf 0000 4f46 5432 0100 0204 9f02 bp....OFT2...... 64: 0b00 6243 0000 0000 0000 0001 0001 0001 ..bC............ 80: 0001 0001 0000 0001 0000 3f66 6286 094e ..........?fb..N 96: 0000 ffff 0000 0000 0000 0000 0000 ffff ................ 112: 0000 0001 0000 094e 0000 436f 6f6c 2046 .......N..Cool F 128: 696c 6558 6665 7200 0000 0000 0000 0000 ileXfer......... It looks like the 'CoolXfer' is also consistant. Has anyone else wrote a rule for AIM xfers? If not, would this be a useful rules for others? --Mike ___________________________________ Michael Janke Director, Network Services Minnesota State Colleges and Universities 1450 Energy Park Drive Suite 300 St Paul MN 55108 Voice:651-649-5982 Cell:651-775-9343 Fax: 651-649-5770 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule for AIM fire transfers? Michael Janke (Oct 13)