Snort mailing list archives
RE: AOL Rule
From: "Cessna, Michael" <MCessna () rtm com>
Date: Wed, 24 Oct 2001 16:28:01 -0400
Aim normally connects on tcp 5190 but it can be set to communicate on any port. Also the data portion of the packet starts with |2A 02|, it may also start with |2A 05| but this is only for the "unknown" info message, so you really don't need to capture those packets. log tcp any any -> any 5190 (content:"|2A 02|";) log tcp any 5190 -> any any (content:"|2A 02|";) If I get some time soon I'll try to clean up the rule a little bit. As it sits you will get some false positives, but it will catch all the aim traffic on 5190. I put this in because our execs wanted to keep a record of aim traffic in case we had an info leak, but did not want to ban AIM (trying to keep the employees happy :) Mike -----Original Message----- From: Greg Robinson [mailto:greg () diverdown cc] Sent: Wednesday, October 24, 2001 4:24 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] AOL Rule Has anyone ever writen a rule to log aol IM's the way the MSM im's are logged to the database....some help on that would greatly be appreciated... Greg
Current thread:
- AOL Rule Greg Robinson (Oct 24)
- <Possible follow-ups>
- RE: AOL Rule Cessna, Michael (Oct 24)
- RE: AOL Rule Cessna, Michael (Oct 24)
- RE: AOL Rule Jim Forster (Oct 24)