RE: AOL Instant Messenger signature?

[Dr SuSE <drsuse () drsuse org>]

I wouldnt use a rule that would rely on a specific port but rather one that is 
based on a connection to login.oscar.aol.com which is the server AIM users have 
to connect to in order to make AIM work.  

I use to have some info on all many of the chat clients in use today such as 
ports used and login servers.  I'll see if I can dig that info up.

You might want to simply block outbound traffic to login.oscar.aol.com at the 
firewall.

An AIM rule would be more a rule used to enforce a site security policy or 
network usage policy.  Does anyone have any thoughts as to perhaps building 
some policy type rules which would be seperate of exploit/malicious traffic 
rules?  I'm sure someone might find it useful.

> Many of our users where smart enough to change the default port of 5190 to
> say 21.
>
> -----Original Message-----
> From: Blake Frantz [mailto:blake () mc net]
> Sent: Tuesday, May 01, 2001 2:43 PM
> To: Jones, Benny
> Cc: 'snort-users () lists sourceforge net'
> Subject: Re: [Snort-users] AOL Instant Messenger signature?
>
>
>
> Hello,
>
> I spent about 30 mins playing and came up with the following:
>
>    - AIM 3.0 defaults to port 5190/tcp
>    - All packets we set to DF (Do not Fragment)
>    - The payload always started with "2A 02"
>
> alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager -
> Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager -
> Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) 
>
> If anyone can improve this or find any instances which cause this rule
> to fail, please speak up.
>
> Blake Frantz
>
> ================================================================= 
> The Government, like diapers, should be replaced regularly, and
> often for the same reasons. 
>
> On Mon, 16 Apr 2001, Jones, Benny wrote:
>
> > Fellow snorters...
> >
> > Is there a signature to detect AIM activity?
> > I couldn't find one on www.snort.org or
> > www.whitehats.com.
> >
> > Thanks in advance.
> >
> > Benny
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users