Snort mailing list archives
Re: IM Logging - How to?
From: Ricardo Londoño <ricardo () datawan net>
Date: Fri, 17 Jan 2003 13:16:40 -0600
The following works for AIM. Logs AIM Logins alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; sid:1631; rev:4;) Logs sent messages: alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 06|"; offset:6; depth:4; classtype:policy-violation; sid:1632; rev:4;) Logs received messages: alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM recieve message"; flow:to_client; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 07|"; offset:6; depth:4; classtype:policy-violation; sid:1633; rev:3;) Ricardo ----- Original Message ----- From: "Mike Shaw" <mshaw () wwisp com> To: "Matt Yackley" <Matt.Yackley () perkinswill com>; "'Angel Gabriel'" <badmangabriel () lycos co uk>; <snort-users () lists sourceforge net> Sent: Friday, January 17, 2003 12:26 PM Subject: RE: [Snort-users] IM Logging - How to?
At 11:44 AM 1/17/2003 -0600, Matt Yackley wrote:I believe that there is an IM capture util included with dsniff http://naughty.monkey.org/~dugsong/dsniff/ called msgsnarf, but since
this
package is a bit old I don't know how well it would work. MattI haven't had much luck with msgsnarf. It seems the products and
protocols
might have changed since then. I've used ngrep to snag IM transactions before. I think AIM is port 5190. MSN is a different port (can't remember). IIRC, yahoo's messenger uses http and is much harder to track states, etc. Maybe someone else has had better luck. -Mike ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: IM Logging - How to? Matt Yackley (Jan 17)
- RE: IM Logging - How to? Mike Shaw (Jan 17)
- Re: IM Logging - How to? Ricardo Londoño (Jan 17)
- <Possible follow-ups>
- RE: IM Logging - How to? Gonzalez, Albert (Jan 17)
- RE: IM Logging - How to? Khera, Manish (US - New York) (Jan 17)
- RE: IM Logging - How to? Mike Shaw (Jan 17)