Snort mailing list archives
Re: Snort and IM
From: Josh Bitto <jbitto () onlineschool ca>
Date: Mon, 18 Feb 2013 12:37:53 -0800
Ok so what about teamspeak? From: Dustin Webber [mailto:dustin.webber () gmail com] Sent: Monday, February 18, 2013 12:36 PM To: Josh Bitto Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort and IM But like I said.. facebook is over ssl by default.. so you wont see this. only the initial request. On Feb 18, 2013, at 2:32 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote: OH wait....hahaha.....brain fart....I see what your saying put /ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php>"; http_uri; content:"facebook.com<http://facebook.com>"; http_header; reference:url,doc.emergingthreats.net/2010784<http://doc.emergingthreats.net/2010784>; classtype:policy-violation; sid:2010784; rev:3;) From: Dustin Webber [mailto:dustin.webber () gmail com<http://gmail.com>] Sent: Monday, February 18, 2013 12:28 PM To: Josh Bitto Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort and IM Josh, Looks like this rule is just out of date. The post URL I see for this is `/ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php>` try that. On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com<http://facebook.com>"; http_header; reference:url,doc.emergingthreats.net/2010784<http://doc.emergingthreats.net/2010784>; classtype:policy-violation; sid:2010784; rev:3;) This rule is the one that was downloaded from snort.org<http://snort.org>....I don't have any custom rule sets. I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it. ________________________________________ From: Dustin Webber [dustin.webber () gmail com<mailto:dustin.webber () gmail com>] Sent: Monday, February 18, 2013 12:18 PM To: Josh Bitto Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort and IM What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain? Anyway, lets see the rule and in sure we can get this going. On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca><mailto:jbitto () onlineschool ca>> wrote: I'm having issues where I can't get the emerging threat rules to fire on instant messaging or logging into teamspeak 3......I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next course of action to fix the issue? ------------------------------------------------------------------------------ The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials, tech docs, whitepapers, evaluation guides, and opinion stories. Check out the most recent posts - join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net><mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials, tech docs, whitepapers, evaluation guides, and opinion stories. Check out the most recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Dustin Webber (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Dustin Webber (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Dustin Webber (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Dustin Webber (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Joel Esler (Feb 18)
- Re: Snort and IM JJ Cummings (Feb 18)
- Re: Snort and IM waldo kitty (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)
- Re: Snort and IM Dustin Webber (Feb 18)
- Re: Snort and IM James Lay (Feb 18)
- Re: Snort and IM waldo kitty (Feb 18)
- Re: Snort and IM Josh Bitto (Feb 18)