RE: AOL Rule

[Jim Forster <jforster () rapidnet com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One more cleanup.  :)   This one catches ICQ2000b.
alert tcp any any <> any 5190 (msg:"ICQ"; flags:A+; content:"|2A 02|"; 
depth: 2; content:"|04|"; offset: 7; depth: 1; dsize:> 140;)


At 03:31 PM 10/24/2001, Cessna, Michael wrote:
> I cleaned the rule up a bit:
> log tcp any any -> any 5190 (msg: "AIM packet"; content:"|2A 
> 02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
> log tcp any 5190 -> any any (msg: "AIM packet"; content:"|2A 
> 02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)
>
> If you are not using the binary logging format than you can add the 
> LOGTO:"<filename>" option to the rule to have a separate log for the rule 
> (I use binary logging so I didn't add it to the rule). Also since we are 
> checking the payload of the data packet for the |2A 02| content with a 
> depth limit, the 5190 port should not be needed......I'll have to check 
> that out.
> Anyway I'm running this rule tonight and check the log against yesterdays 
> log when I get back in tomorrow to make sure that I'm not dropping 
> anything that should be logged. After that I'll test it without the port 
> restrictions since AIM can connect on just about any port. I'm not sure 
> how much impact that will have on snort but I'll set up a test sensor and 
> find out. I'll let you know what I find.
> Mike
> -----Original Message-----
> From: Cessna, Michael [mailto:MCessna () rtm com]
> Sent: Wednesday, October 24, 2001 4:28 PM
> To: 'Greg Robinson'; Snort-users () lists sourceforge net
> Subject: RE: [Snort-users] AOL Rule
>
> Aim normally connects on tcp 5190 but it can be set to communicate on any 
> port. Also the data portion of the packet starts with |2A 02|, it may also 
> start with |2A 05| but this is only for the "unknown" info message, so you 
> really don't need to capture those packets.
>
> log tcp any any -> any 5190 (content:"|2A 02|";)
> log tcp any 5190 -> any any (content:"|2A 02|";)
> If I get some time soon I'll try to clean up the rule a little bit. As it 
> sits you will get some false positives, but it will catch all the aim 
> traffic on 5190. I put this in because our execs wanted to keep a record 
> of aim traffic in case we had an info leak, but did not want to ban AIM 
> (trying to keep the employees happy :)
> Mike
> -----Original Message-----
> From: Greg Robinson [mailto:greg () diverdown cc]
> Sent: Wednesday, October 24, 2001 4:24 PM
> To: Snort-users () lists sourceforge net
> Subject: [Snort-users] AOL Rule
>
> Has anyone ever writen a rule to log aol IM's the way the MSM im's are 
> logged to the database....some help on that would greatly be appreciated...
>
> Greg

- -----------------------------------------------------
Jim Forster
Network Administrator
RapidNet, A Golden West Company
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9c6tIm0Gn1R8/mJEQJjbgCgzD7ww5qci101ywBKOVyz6NoLj4MAniYq
iMe8Kj2lpMQ0HcD3lW0fCtl4
=UAgN
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users