Snort mailing list archives

Re: rule for Yahoo or Hotmail messengers

From: "Imran William Smith" <iwsmith () mimos my>
Date: Mon, 17 Jun 2002 18:01:01 +0800

Note: in future queries like this belong in snort-sigs group.

For Yahoo I built the following rules, but have not tested them much yet.
In particular, I was worried about message transfers - much more
dangerous than just people talking....

Only the original connect to Yahoo should be flagged, not every single message,
to reduce the amount of data logged.

You'll have to allocate your own sids.



alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: 
"domain=.yahoo.com"; content:
"YMSG"; classtype:misc-activity; sid:1000001; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content:
"domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; 
content:
"YMSG"; classtype:misc-activity; sid:1000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; 
content:
"FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)




--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message ----- 
From: "Ronneil Camara" <ronneilc () remingtonltd com>
To: <snort-users () lists sourceforge net>
Sent: Monday, June 17, 2002 2:11 PM
Subject: [Snort-users] rule for Yahoo or Hotmail messengers


| Does anyone have a rule to detect logins to yahoo or hotmail messengers
| and if using port 80?
| 
| Adding a rule based on destination address is easy. But I was hoping
| that someone has already created a rule based on a sniffed packet
| of yahoo or hotmail traffic headers. (Sorta content filtering approach)
| 
| Thanks in advance.
| 
| Neil
| 
| _______________________________________________________________
| 
| Sponsored by:
| ThinkGeek at http://www.ThinkGeek.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list
| 


_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rule for Yahoo or Hotmail messengers Ronneil Camara (Jun 16)
- Re: rule for Yahoo or Hotmail messengers Imran William Smith (Jun 17)