Snort mailing list archives
Re: scanning for emoticons in MSN messenger?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 4 May 2010 07:24:30 -0400
snort doesn't treat an emoticon as plaintext, an Emoticon IS plain text. But yes, you'd have to do string check rules. On Tuesday, May 4, 2010, Eric Zheng <zhengeric () hotmail com> wrote:
Would it be possible to detect when an emoticon is being used without looking at the format of the image being sent?
Doing so of course without 10 different string check rules for 10 different emoticons. Basically a single rule to
acknowledge that an emoticon has been sent. I'm not sure if it's possible since snort treats an emoticon as plain
text (ie, a smiley face is read as ":)" ).
Date: Mon, 3 May 2010 08:38:48 -0400
Subject: Re: [Snort-sigs] scanning for emoticons in MSN messenger?
From: jesler () sourcefire com
To: zhengeric () hotmail com
CC: snort-sigs () lists sourceforge net
Eric,
You'd have to grab a pcap of traffic to see what format the emoticon is in. Then you could write a simple content
signature.
Joel
On Mon, May 3, 2010 at 3:07 AM, Eric Zheng <zhengeric () hotmail com> wrote:
I want to see if it's possible to make a rule to look for any custom emoticon being sent over MSN messenger. I
believe this is possible since a custom emoticon image has to be sent over the network, but I'm not sure how to look
for it (file type matching? but I don't know what format custom emoticons are in). I'm new to snort rules but I have
been familiarizing myself with their syntax and usage.
I believe it would be along the lines of:
alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected"; <emoticon signature>;)
Where <emoticon signature> are the requisites to trigger the alert. Port 1863 is used for MSN messenger.
Any help would be appreciated, thanks!
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy.
<http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- scanning for emoticons in MSN messenger? Eric Zheng (May 03)
- Re: scanning for emoticons in MSN messenger? Joel Esler (May 03)
- Re: scanning for emoticons in MSN messenger? Eric Zheng (May 03)
- Re: scanning for emoticons in MSN messenger? Joel Esler (May 04)
- Re: scanning for emoticons in MSN messenger? Eric Zheng (May 03)
- Re: scanning for emoticons in MSN messenger? Joel Esler (May 03)