Snort mailing list archives

RE: AOL Rule

From: "Cessna, Michael" <MCessna () rtm com>
Date: Wed, 24 Oct 2001 17:31:04 -0400

I cleaned the rule up a bit:
log tcp any any -> any 5190 (msg: "AIM packet"; content:"|2A
02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
log tcp any 5190 -> any any (msg: "AIM packet"; content:"|2A
02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
 
If you are not using the binary logging format than you can add the
LOGTO:"<filename>" option to the rule to have a separate log for the rule (I
use binary logging so I didn't add it to the rule). Also since we are
checking the payload of the data packet for the |2A 02| content with a depth
limit, the 5190 port should not be needed......I'll have to check that out.
Anyway I'm running this rule tonight and check the log against yesterdays
log when I get back in tomorrow to make sure that I'm not dropping anything
that should be logged. After that I'll test it without the port restrictions
since AIM can connect on just about any port. I'm not sure how much impact
that will have on snort but I'll set up a test sensor and find out. I'll let
you know what I find.
Mike

-----Original Message-----
From: Cessna, Michael [mailto:MCessna () rtm com]
Sent: Wednesday, October 24, 2001 4:28 PM
To: 'Greg Robinson'; Snort-users () lists sourceforge net
Subject: RE: [Snort-users] AOL Rule


Aim normally connects on tcp 5190 but it can be set to communicate on any
port. Also the data portion of the packet starts with |2A 02|, it may also
start with |2A 05| but this is only for the "unknown" info message, so you
really don't need to capture those packets.
 
log tcp any any -> any 5190 (content:"|2A 02|";)
log tcp any 5190 -> any any (content:"|2A 02|";)

If I get some time soon I'll try to clean up the rule a little bit. As it
sits you will get some false positives, but it will catch all the aim
traffic on 5190. I put this in because our execs wanted to keep a record of
aim traffic in case we had an info leak, but did not want to ban AIM (trying
to keep the employees happy :)
Mike

-----Original Message-----
From: Greg Robinson [mailto:greg () diverdown cc]
Sent: Wednesday, October 24, 2001 4:24 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] AOL Rule


Has anyone ever writen a rule to log aol IM's the way the MSM im's are
logged to the database....some help on that would greatly be appreciated...
 
Greg

Current thread:

AOL Rule Greg Robinson (Oct 24)
- <Possible follow-ups>
- RE: AOL Rule Cessna, Michael (Oct 24)
- RE: AOL Rule Cessna, Michael (Oct 24)
  - RE: AOL Rule Jim Forster (Oct 24)