RE: Rules for AOL Instant messaging

["Cessna, Michael" <MCessna () rtm com>]

This rule will find AIM packets:
log tcp any any -> any any (msg: "AIM packet"; content:"|2A
02|";depth:2;flags:AP+;classtype:not-suspicious;priority:0;)

Aim runs on 5190 but can be set to use other ports. You can use the above
rule to capture all of the aim traffic and then either post process it for
what you are looking for.
 
Hope this helps,
Mike

-----Original Message-----
From: Joe Lawson [mailto:jlawson () financeware com]
Sent: Wednesday, December 05, 2001 1:02 PM
To: snort-users
Subject: [Snort-users] Rules for AOL Instant messaging



Greetings, 


Has anyone had any success in searching AOL message traffic for specific
keywords (as in illicit activity)? 

TIA, 

Joe Lawson