Snort mailing list archives

RE: ICQ Rule

From: "Derrick Lichti" <dlichti () mitra com>
Date: Tue, 29 Oct 2002 15:49:27 -0500

Preferrably evertime somebody uses ICQ. I've been pointed towards monitoring port 5190 which is a good start, 
unfortunately users can get around it!

Thanks,
Derrick

-----Original Message-----
From: Jarret Gibson [mailto:jarret () osa comax com]
Sent: Tuesday, October 29, 2002 3:38 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICQ Rule

Are you wanting a snort alert rule for any time someone uses ICQ?

Or are you wanting a filter rule for something like Ethereal to capture packets?

Jarret
----- Original Message ----- 

From: Derrick Lichti <mailto:dlichti () mitra com>  
To: snort-users () lists sourceforge net 
Sent: Tuesday, October 29, 2002 1:59 PM
Subject: [Snort-users] ICQ Rule

Hi All;

I'm looking for a rule that would grab any packets from a client using ICQ. Does anybody know of any unique information 
that lies in ICQ message packets? Unfortunately, I don't have a method of testing this myself or else I would have grab 
packets and looked...

Thanks!
Derrick

Current thread:

ICQ Rule Derrick Lichti (Oct 29)
- Re: ICQ Rule Jarret Gibson (Oct 29)
- <Possible follow-ups>
- RE: ICQ Rule Derrick Lichti (Oct 29)
  - Re: ICQ Rule Jarret Gibson (Oct 29)