Re: AOL Instant Messenger signature?

[Blake Frantz <blake () mc net>]

Hello,

I spent about 30 mins playing and came up with the following:

   - AIM 3.0 defaults to port 5190/tcp
   - All packets we set to DF (Do not Fragment)
   - The payload always started with "2A 02"

alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager - Inbound"; content:"|2A 02|"; offset:0; 
depth:2; fragbits:D;) 
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager - Outbound"; content:"|2A 02|"; offset:0; 
depth:2; fragbits:D;) 

If anyone can improve this or find any instances which cause this rule
to fail, please speak up.

Blake Frantz

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Mon, 16 Apr 2001, Jones, Benny wrote:

> Fellow snorters...
>
> Is there a signature to detect AIM activity?
> I couldn't find one on www.snort.org or
> www.whitehats.com.
>
> Thanks in advance.
>
> Benny
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users