RE: AOL Rule

["Cessna, Michael" <MCessna () rtm com>]

Aim normally connects on tcp 5190 but it can be set to communicate on any
port. Also the data portion of the packet starts with |2A 02|, it may also
start with |2A 05| but this is only for the "unknown" info message, so you
really don't need to capture those packets.
 
log tcp any any -> any 5190 (content:"|2A 02|";)
log tcp any 5190 -> any any (content:"|2A 02|";)

If I get some time soon I'll try to clean up the rule a little bit. As it
sits you will get some false positives, but it will catch all the aim
traffic on 5190. I put this in because our execs wanted to keep a record of
aim traffic in case we had an info leak, but did not want to ban AIM (trying
to keep the employees happy :)
Mike

-----Original Message-----
From: Greg Robinson [mailto:greg () diverdown cc]
Sent: Wednesday, October 24, 2001 4:24 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] AOL Rule


Has anyone ever writen a rule to log aol IM's the way the MSM im's are
logged to the database....some help on that would greatly be appreciated...
 
Greg