RE: Snort-users digest, Vol 1 #2589 - 3 msgs

["L. Christopher Luther" <CLuther () Xybernaut com>]

In answer to your question:  

1) Presuming that AIM only uses TCP port 5190 and is not proxied, then yes,
the rule you note below will generate a Snort alert for all AIM packets it
captures.  

2) As I just noted above, Snort will generate an alert, and depending on
logging facility you use, Snort will either log the entire contents of the
*packet* or just some high-level information.  You may want to consider
making the AIM rule only a logging rule (i.e., "log tcp any any -> any
5190") to avoid getting overrun my alerts generated by AIM traffic.  Unless
of course, you actually want those alerts  ;)  

3) And no, the rule will not capture the whole AIM conversation.  Though I
imaging that is would be possible to use binary logging or the unified log
facility and some sort of post processor to piece together all of AIM
packets captured and reconstruct the AIM conversation.  

4) Yes, create a .rules file (or use the local.rules) and make reference to
it in the snort.conf file.  

- Christopher


-----Original Message-----
From: "Shafer, Troy" <tshafer () laurel k12 ky us>
To: "'snort-users () lists sourceforge net'"
         <snort-users () lists sourceforge net>
Date: Mon, 16 Dec 2002 14:57:42 -0500
Subject: [Snort-users] another question

I found this code on the net for logging aim traffic...

alert tcp any any -> any 5190 (msg:"AIM Message"; content:"HTML";)

my first question, does this actually log the content of the messages and
two how would I implement this with snort... write a .rules file... then put
and include in the the snort.conf?  Still trying to figure this snort thing
out...

Troy Shafer
Network Engineer
Laurel County Schools
 
606-862-4616
tshafer () laurel k12 ky us