Snort rule for AIM fire transfers?

["Michael Janke" <Michael.Janke () csu mnscu edu>]

We'd like to have a rule that flags AOL/AIM file transfers. Our IM
policy is that it is OK to use IM, but not OK to use IM for file xfers.


So far I've got: 

1) Ports: xfers are random tcp >1024
2) Endpoints xfer directly between each other w/o oscar servers
involved. 
3) There seems to be a consistant set of bytes in the payload, based on
testing of one client. 

Here is a packet, with the TCP payload starting with '4f46 5432' 

          48: 6270 adcf 0000 4f46 5432 0100 0204 9f02   
bp....OFT2......
          64: 0b00 6243 0000 0000 0000 0001 0001 0001   
..bC............
          80: 0001 0001 0000 0001 0000 3f66 6286 094e   
..........?fb..N
          96: 0000 ffff 0000 0000 0000 0000 0000 ffff   
................
         112: 0000 0001 0000 094e 0000 436f 6f6c 2046    .......N..Cool
F
         128: 696c 6558 6665 7200 0000 0000 0000 0000   
ileXfer.........

It looks like the 'CoolXfer' is also consistant. 

Has anyone else wrote a rule for AIM xfers? If not, would this be a
useful rules for others?

--Mike


___________________________________
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
1450 Energy Park Drive Suite 300
St Paul MN 55108
Voice:651-649-5982 Cell:651-775-9343 Fax: 651-649-5770


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users