Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort and IM

From: Josh Bitto <jbitto () onlineschool ca>
Date: Mon, 18 Feb 2013 12:41:30 -0800
oO I didn't know teamspeak used ssl....ok that explains a lot....

Thank you!

I'm wondering why they created a rule set for tcp if the standard is in ssl....



From: Dustin Webber [mailto:dustin.webber () gmail com]
Sent: Monday, February 18, 2013 12:39 PM
To: Josh Bitto
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort and IM

Yea, that will be the same story. :(

On Feb 18, 2013, at 2:37 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote:


Ok so what about teamspeak?



From: Dustin Webber [mailto:dustin.webber () gmail com<http://gmail.com>]
Sent: Monday, February 18, 2013 12:36 PM
To: Josh Bitto
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and IM

But like I said.. facebook is over ssl by default.. so you wont see this. only the initial request.


On Feb 18, 2013, at 2:32 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote:



OH wait....hahaha.....brain fart....I see what your saying put 
/ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php>

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; 
flow:established,to_server; content:"POST"; http_method; 
content:"/ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php>"; http_uri; 
content:"facebook.com<http://facebook.com>"; http_header; 
reference:url,doc.emergingthreats.net/2010784<http://doc.emergingthreats.net/2010784>; classtype:policy-violation; 
sid:2010784; rev:3;)

From: Dustin Webber [mailto:dustin.webber () gmail com<http://gmail.com>]
Sent: Monday, February 18, 2013 12:28 PM
To: Josh Bitto
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and IM

Josh,

Looks like this rule is just out of date. The post URL I see for this is 
`/ajax/mercury/send_messages.php<https://www.facebook.com/ajax/mercury/send_messages.php>` try that.

On Feb 18, 2013, at 2:21 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca>> wrote:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; 
flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; 
content:"facebook.com<http://facebook.com>"; http_header; 
reference:url,doc.emergingthreats.net/2010784<http://doc.emergingthreats.net/2010784>; classtype:policy-violation; 
sid:2010784; rev:3;)



This rule is the one that was downloaded from snort.org<http://snort.org>....I don't have any custom rule sets.

I'm able to go to facebook chat and chat up a storm with someone I know and I don't even get an alert on it.



________________________________________
From: Dustin Webber [dustin.webber () gmail com<mailto:dustin.webber () gmail com>]
Sent: Monday, February 18, 2013 12:18 PM
To: Josh Bitto
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort and IM

What does your rule look like. Also, isn't that ssl traffic? Are you looking for connections to a certain domain?

Anyway, lets see the rule and in sure we can get this going.

On Feb 18, 2013, at 2:04 PM, Josh Bitto <jbitto () onlineschool ca<mailto:jbitto () onlineschool ca><mailto:jbitto () 
onlineschool ca>> wrote:

I'm having issues where I can't get the emerging threat rules to fire on instant messaging or logging into teamspeak 
3......I know that both my WAN and LAN are working because of other tests that I have conducted. Any ideas on my next 
course of action to fix the issue?


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net><mailto:Snort-users () lists 
sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, 
is your hub for all things parallel software development, from weekly thought 
leadership blogs to news, videos, case studies, tutorials, tech docs, 
whitepapers, evaluation guides, and opinion stories. Check out the most 
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: