Snort mailing list archives
Re: ICQ Rule
From: "Jarret Gibson" <jarret () osa comax com>
Date: Tue, 29 Oct 2002 16:02:21 -0500
Write a rule to check for UDP packets containing "icq.com" and "login". That info is usually contained in a packet every time they log on to ICQ. I haven't bothered with learning to write rules yet, but from what I've seen, something like this would be pretty simple. Jarret ----- Original Message ----- From: Derrick Lichti To: snort-users () lists sourceforge net Sent: Tuesday, October 29, 2002 3:49 PM Subject: RE: [Snort-users] ICQ Rule Preferrably evertime somebody uses ICQ. I've been pointed towards monitoring port 5190 which is a good start, unfortunately users can get around it! Thanks, Derrick -----Original Message----- From: Jarret Gibson [mailto:jarret () osa comax com] Sent: Tuesday, October 29, 2002 3:38 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICQ Rule Are you wanting a snort alert rule for any time someone uses ICQ? Or are you wanting a filter rule for something like Ethereal to capture packets? Jarret ----- Original Message ----- From: Derrick Lichti To: snort-users () lists sourceforge net Sent: Tuesday, October 29, 2002 1:59 PM Subject: [Snort-users] ICQ Rule Hi All; I'm looking for a rule that would grab any packets from a client using ICQ. Does anybody know of any unique information that lies in ICQ message packets? Unfortunately, I don't have a method of testing this myself or else I would have grab packets and looked. Thanks! Derrick
Current thread:
- ICQ Rule Derrick Lichti (Oct 29)
- Re: ICQ Rule Jarret Gibson (Oct 29)
- <Possible follow-ups>
- RE: ICQ Rule Derrick Lichti (Oct 29)
- Re: ICQ Rule Jarret Gibson (Oct 29)