Re: scanning for emoticons in MSN messenger?

[Joel Esler <jesler () sourcefire com>]

Eric,

You'd have to grab a pcap of traffic to see what format the emoticon is in.
 Then you could write a simple content signature.

Joel

On Mon, May 3, 2010 at 3:07 AM, Eric Zheng <zhengeric () hotmail com> wrote:

>  I want to see if it's possible to make a rule to look for any custom
> emoticon being sent over MSN messenger.  I believe this is possible since a
> custom emoticon image has to be sent over the network, but I'm not sure how
> to look for it (file type matching? but I don't know what format custom
> emoticons are in).  I'm new to snort rules but I have been familiarizing
> myself with their syntax and usage.
>
> I believe it would be along the lines of:
>
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected";
> <emoticon signature>;)
>
> Where <emoticon signature> are the requisites to trigger the alert.  Port
> 1863 is used for MSN messenger.
>
> Any help would be appreciated, thanks!
>
> ------------------------------
> The New Busy is not the too busy. Combine all your e-mail accounts with
> Hotmail. Get 
> busy.<http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs