Snort mailing list archives

Re: Snort and IM

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 18 Feb 2013 13:39:10 -0700

Josh,

This is an Emerging Threats rule.  Also, I suspect that your session is 
going https, which means this rule won't see it.

James

On 2013-02-18 13:32, Josh Bitto wrote:

OH wait….hahaha…..brain fart….I see what your saying put
/ajax/mercury/send_messages.php [1]

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT
Facebook Chat (send message)"; flow:established,to_server;
content:"POST"; http_method; content:"/ajax/mercury/send_messages.php
[2]"; http_uri; content:"facebook.com [3]"; http_header;
reference:url,doc.emergingthreats.net/2010784 [4];
classtype:policy-violation; sid:2010784; rev:3;)

FROM: Dustin Webber [mailto:dustin.webber () gmail com]
SENT: Monday, February 18, 2013 12:28 PM
TO: Josh Bitto
CC: snort-users () lists sourceforge net
SUBJECT: Re: [Snort-users] Snort and IM

Josh,

Looks like this rule is just out of date. The post URL I see for this
is `/ajax/mercury/send_messages.php [5]` try that.

On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto () onlineschool ca [6]>
wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT
Facebook Chat (send message)"; flow:established,to_server;
content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri;
content:"facebook.com [7]"; http_header;
reference:url,doc.emergingthreats.net/2010784 [8];
classtype:policy-violation; sid:2010784; rev:3;)

This rule is the one that was downloaded from snort.org [9]....I 
don't
have any custom rule sets.

I'm able to go to facebook chat and chat up a storm with someone I
know and I don't even get an alert on it.

________________________________________
From: Dustin Webber [dustin.webber () gmail com [10]]
Sent: Monday, February 18, 2013 12:18 PM
To: Josh Bitto
Cc: snort-users () lists sourceforge net [11]
Subject: Re: [Snort-users] Snort and IM

What does your rule look like. Also, isn't that ssl traffic? Are you
looking for connections to a certain domain?

Anyway, lets see the rule and in sure we can get this going.

On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto () onlineschool ca
[12]<mailto:jbitto () onlineschool ca [13]>> wrote:

I'm having issues where I can't get the emerging threat rules to fire
on instant messaging or logging into teamspeak 3……I know that both
my WAN and LAN are working because of other tests that I have
conducted. Any ideas on my next course of action to fix the issue?


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with
Geeknet,
is your hub for all things parallel software development, from weekly
thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the
most
recent posts - join the conversation now.
http://goparallel.sourceforge.net/ [14]
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
[15]<mailto:Snort-users () lists sourceforge net [16]>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [17]
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[18]

Please visit http://blog.snort.org [19] to stay current on all the
latest Snort news!



Links:
------
[1] https://www.facebook.com/ajax/mercury/send_messages.php
[2] https://www.facebook.com/ajax/mercury/send_messages.php
[3] http://facebook.com
[4] http://doc.emergingthreats.net/2010784
[5] https://www.facebook.com/ajax/mercury/send_messages.php
[6] mailto:jbitto () onlineschool ca
[7] http://facebook.com
[8] http://doc.emergingthreats.net/2010784
[9] http://snort.org
[10] mailto:dustin.webber () gmail com
[11] mailto:snort-users () lists sourceforge net
[12] mailto:jbitto () onlineschool ca
[13] mailto:jbitto () onlineschool ca
[14] http://goparallel.sourceforge.net/
[15] mailto:Snort-users () lists sourceforge net
[16] mailto:Snort-users () lists sourceforge net
[17] https://lists.sourceforge.net/lists/listinfo/snort-users
[18] 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[19] http://blog.snort.org



------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort and IM, (continued)
- - - Re: Snort and IM Dustin Webber (Feb 18)
    - Re: Snort and IM Josh Bitto (Feb 18)
    - Re: Snort and IM Josh Bitto (Feb 18)
    - Re: Snort and IM Dustin Webber (Feb 18)
    - Re: Snort and IM Josh Bitto (Feb 18)
    - Re: Snort and IM Dustin Webber (Feb 18)
    - Re: Snort and IM Josh Bitto (Feb 18)
    - Re: Snort and IM Joel Esler (Feb 18)
    - Re: Snort and IM JJ Cummings (Feb 18)
    - Re: Snort and IM waldo kitty (Feb 18)
    - Re: Snort and IM James Lay (Feb 18)
    - Re: Snort and IM waldo kitty (Feb 18)
    - Re: Snort and IM Josh Bitto (Feb 18)