Re: ICQ Rule

["Jarret Gibson" <jarret () osa comax com>]

Write a rule to check for UDP packets containing "icq.com" and "login".  That info is usually contained in a packet 
every time they log on to ICQ.  I haven't bothered with learning to write rules yet, but from what I've seen, something 
like this would be pretty simple.

Jarret
  ----- Original Message ----- 
  From: Derrick Lichti 
  To: snort-users () lists sourceforge net 
  Sent: Tuesday, October 29, 2002 3:49 PM
  Subject: RE: [Snort-users] ICQ Rule


  Preferrably evertime somebody uses ICQ. I've been pointed towards monitoring port 5190 which is a good start, 
unfortunately users can get around it!

   

  Thanks,
  Derrick

   

  -----Original Message-----
  From: Jarret Gibson [mailto:jarret () osa comax com]
  Sent: Tuesday, October 29, 2002 3:38 PM
  To: snort-users () lists sourceforge net
  Subject: Re: [Snort-users] ICQ Rule

   

  Are you wanting a snort alert rule for any time someone uses ICQ?

   

  Or are you wanting a filter rule for something like Ethereal to capture packets?

   

  Jarret

  ----- Original Message ----- 


  From: Derrick Lichti 

  To: snort-users () lists sourceforge net 

  Sent: Tuesday, October 29, 2002 1:59 PM

  Subject: [Snort-users] ICQ Rule

   

  Hi All;

   

  I'm looking for a rule that would grab any packets from a client using ICQ. Does anybody know of any unique 
information that lies in ICQ message packets? Unfortunately, I don't have a method of testing this myself or else I 
would have grab packets and looked.

   

  Thanks!

  Derrick