Snort mailing list archives
Re: MSN Chat Rule Help
From: Brian <bmc () snort org>
Date: Mon, 2 Dec 2002 16:42:14 -0500
On Mon, Dec 02, 2002 at 04:24:51PM -0500, Derrick Lichti wrote:
From: Ricardo Londoño [mailto:ricardo () datawan net]My Current Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat access"; flow:to_server,established; content:"text/plain"; depth:100; classtype:misc-activity; sid:540; rev:6;)
alert tcp any 1863 <> $HOME_NET any (msg:"MSN IM Chat Data Logged"; flags:PA; content:"|746578742F706C61696E|"; depth:100;)
These are the same signature, except the "official one" is a bit less crappy. (Its still crappy and needs revisited, but less so) "|746578742F706C61696E|" transates to "text/plain". The original content is much harder to read than the plain ascii version. The "official" rule also uses flow instead of flags. I'll look at MSN messenger tonight and see what I can come up with. -brian ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: MSN Chat Rule Help Derrick Lichti (Dec 02)
- Re: MSN Chat Rule Help Brian (Dec 02)
- Re: MSN Chat Rule Help Ricardo Londoño (Dec 02)
- Re: MSN Chat Rule Help Brian (Dec 02)