Snort mailing list archives
RE: AOL Instant Messenger signature?
From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Tue, 1 May 2001 16:25:26 -0400
Also, AIM has the ability to scan the network and use almost any other port. I've used AIM with port 110, 80, 143, 23, and 21 to name a few. I'm new to Snort so I'm not sure how flexible the rules are, but can a rule be created that looks for certain data within packet going to a particular domain or destination address? This may be one way to attempt to capture AIM. -----Original Message----- From: Dan Fiorito [mailto:danf () clearnetwork com] Sent: Tuesday, May 01, 2001 12:38 PM To: 'Blake Frantz' Cc: Snort-Users (E-mail) Subject: RE: [Snort-users] AOL Instant Messenger signature? Many of our users where smart enough to change the default port of 5190 to say 21. -----Original Message----- From: Blake Frantz [mailto:blake () mc net] Sent: Tuesday, May 01, 2001 2:43 PM To: Jones, Benny Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] AOL Instant Messenger signature? Hello, I spent about 30 mins playing and came up with the following: - AIM 3.0 defaults to port 5190/tcp - All packets we set to DF (Do not Fragment) - The payload always started with "2A 02" alert tcp $EXTERNAL_NET 5190 -> $HOME_NET 1024: (msg:"AOL Instant Messager - Inbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 5190 (msg:"AOL Instant Messager - Outbound"; content:"|2A 02|"; offset:0; depth:2; fragbits:D;) If anyone can improve this or find any instances which cause this rule to fail, please speak up. Blake Frantz ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Mon, 16 Apr 2001, Jones, Benny wrote:
Fellow snorters... Is there a signature to detect AIM activity? I couldn't find one on www.snort.org or www.whitehats.com. Thanks in advance. Benny _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: AOL Instant Messenger signature? Blake Frantz (May 01)
- <Possible follow-ups>
- RE: AOL Instant Messenger signature? Dan Fiorito (May 01)
- RE: AOL Instant Messenger signature? Neil Dickey (May 01)
- RE: AOL Instant Messenger signature? Blake Frantz (May 01)
- RE: AOL Instant Messenger signature? Dr SuSE (May 01)
- RE: AOL Instant Messenger signature? Scott, Joshua (May 01)
- RE: AOL Instant Messenger signature? Neil Dickey (May 01)