Snort mailing list archives

Rule to log Instant Messaging connections

From: Spy Guy <spyguy703 () yahoo com>
Date: Tue, 21 May 2002 16:58:47 -0700 (PDT)

I have a Snort IDS on my internal network. Its been
running fine and everything works great.

I am trying to create a custom rule to log certain
events. I am trying to log connections to AOL, Yahoo,
and MSN instant messaging services.

The firewall is configured to not allow ALL traffic
out. Thus, users are still connecting to these
services via ports 21, 23, and 80 which ARE allowed
OUT. Therefore, the included chat rules will not work.

How should I write a rule to detect IM services
running on thses ports? 

Should I create a generic rule that logs all port 21,
23, and 80 connections to:

216.136.226.0/24 for yahoo
64.4.13.128/25 for MSN
etc...?

Or is there a better approach?


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rule to log Instant Messaging connections Spy Guy (May 22)