Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to block ALL AIM traffic ?

From: H Carvey <keydet89 () yahoo com>
Date: 28 Apr 2005 10:35:16 -0000
In-Reply-To: <f6dcb89f050426163274312303 () mail gmail com>


I am at an office with 50~ machines , out of thoes about 20 or so use
AIM. I would like to block AIM and normally i'd just block the AIM
port (5190) or whatever it is..

BUT AOL seems to have found a great way around this and has 4000+
diffrent ports they use and i'd assume lots of diffrent hosts.


Whats the best way of blocking all AIM traffic ?


Hhhhmmm..."best" really depends on a lot.

One way to handle would be to put up a snort box with the appropriate rules in place that recognize OSCAR protocol 
traffic.  As it's leaving your network, set the rule to look for output ports set to "ANY".  Maybe you can set the rule 
send back an RST packet.

Since you've got about 50 systems, using WMI for the Windows systems may be an option.  Look for those systems with AIM 
installed or running, and uninstall it.  Third party tools such as pslist and pskill from SysInternals will let you 
stop the AIM.exe process from running.  Combine that with corporate policies against installing software and the use of 
instant messaging systems, and you're most of the way there.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
Previous By Date Next
Previous By Thread Next

Current thread: