Try this:

alert tcp any 1863 <> $HOME_NET any (msg:"MSN IM Chat Data Logged"; flags:PA; content:"|746578742F706C61696E|"; depth:100;)

(from Silicon Defense I believe)

-----Original Message-----
From: Ricardo Londoño [mailto:ricardodatawan.net]
Sent: Monday, December 02, 2002 4:05 PM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] MSN Chat Rule Help

My MSN Chat rule does not seem to be working. I have also tried different
variations I found on the web with no luck.

Does anyone have a good working MSN Chat rule?

My Current Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat access";
flow:to_server,established; content:"text/plain"; depth:100;
classtype:misc-activity; sid:540; rev:6;)

thanks

Ricardo

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]