Snort mailing list archives

RE: Yahoo Instant Messenger

From: "Biswas, Proneet" <pbiswas () iPolicyNet COM>
Date: Mon, 19 Jan 2004 21:16:00 -0800

The yahoo messenger guidelines however say that the Messenger will serach in
the order : 5050,80 and then any available open port.
 
http://help.yahoo.com/help/us/mesg/use/use-17.html
<http://help.yahoo.com/help/us/mesg/use/use-17.html> 
 
So the signature migth need to be a triggered one with the first connection
to port 5050.
 

-----Original Message-----
From: CGhercoias () TWEC COM [mailto:CGhercoias () TWEC COM]
Sent: Monday, January 19, 2004 10:02 PM
To: MLittle () bocaresort com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Yahoo Instant Messenger
Importance: High


Here is what you'd want to filter on:

Protocol: TCP or HTTP 
Servers: 
- scs.msg.yahoo.com (216.155.193.182)
- scsa.msg.yahoo.com (216.155.193.183)
- scsb.msg.yahoo.com (216.136.173.184)
- scsc.msg.yahoo.com (216.155.193.141)
Ports: 20,23,25,80,119,5050,8001,8002 
 
Start a sniffer and hook it up to the network you want to protect. Do some
logins, logoffs and write some messages in Yahoo Messenger and see over
which ports is the activity happening.
Then define a variable with Yahoo servers, like:
var YAHOO
[216.155.193.182/32,216.155.193.183/32,216.155.193.184/32,216.155.193.141/32
] 
 
Add rules, something like:

alert tcp $HOME_NET any -> $YAHOO 5050  

( sid: 1000001; rev: 1; msg: "CHAT Yahoo Message"; flow:
to_server,established; content: "YMSG"; nocase; classtype:
policy-violation;)
 

_________________ 
Catalin, 

Tart words make no friends; a spoonful of honey will catch more flies than 
a gallon of vinegar. 
-- B. Franklin 



-----Original Message-----
From: Michael Little [mailto:MLittle () bocaresort com] 
Sent: Sunday, January 18, 2004 12:27 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Yahoo Instant Messenger



I see in the current chat rules that there are rules to detect MSN, AOL, and
ICQ. Does any one have a rule or know how to detect Yahoo instant messenger.
I would like to block all instant messenger traffic in my network. 

Thanks, 
Mike Little 
Director of Network Services.

Current thread:

Yahoo Instant Messenger Michael Little (Jan 18)
- <Possible follow-ups>
- RE: Yahoo Instant Messenger Biswas, Proneet (Jan 18)
  - Re: Yahoo Instant Messenger Ravi (Jan 19)
- RE: Yahoo Instant Messenger CGhercoias (Jan 19)
- RE: Yahoo Instant Messenger Biswas, Proneet (Jan 19)