Snort mailing list archives
RE: AOL Instant Messenger signature?
From: Dr SuSE <drsuse () drsuse org>
Date: Tue, 1 May 2001 20:23:46 GMT
I wouldnt use a rule that would rely on a specific port but rather one that is based on a connection to login.oscar.aol.com which is the server AIM users have to connect to in order to make AIM work. I use to have some info on all many of the chat clients in use today such as ports used and login servers. I'll see if I can dig that info up. You might want to simply block outbound traffic to login.oscar.aol.com at the firewall. An AIM rule would be more a rule used to enforce a site security policy or network usage policy. Does anyone have any thoughts as to perhaps building some policy type rules which would be seperate of exploit/malicious traffic rules? I'm sure someone might find it useful.
Many of our users where smart enough to change the default port of 5190 to say 21. -----Original Message----- From: Blake Frantz [mailto:blake () mc net] Sent: Tuesday, May 01, 2001 2:43 PM To: Jones, Benny Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] AOL Instant Messenger signature? Hello, I spent about 30 mins playing and came up with the following: - AIM 3.0 defaults to port 5190/tcp - All packets we set to DF (Do not Fragment) - The payload always started with "2A 02" alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager - Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager - Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) If anyone can improve this or find any instances which cause this rule to fail, please speak up. Blake Frantz ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Mon, 16 Apr 2001, Jones, Benny wrote:Fellow snorters... Is there a signature to detect AIM activity? I couldn't find one on www.snort.org or www.whitehats.com. Thanks in advance. Benny _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: AOL Instant Messenger signature? Blake Frantz (May 01)
- <Possible follow-ups>
- RE: AOL Instant Messenger signature? Dan Fiorito (May 01)
- RE: AOL Instant Messenger signature? Neil Dickey (May 01)
- RE: AOL Instant Messenger signature? Blake Frantz (May 01)
- RE: AOL Instant Messenger signature? Dr SuSE (May 01)
- RE: AOL Instant Messenger signature? Scott, Joshua (May 01)
- RE: AOL Instant Messenger signature? Neil Dickey (May 01)