|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ricardo Londoņo (ricardo_at_datawan.net)
Date: Mon Dec 02 2002 - 17:50:13 CST
I have tried both rules and nothing! My AIM rule works great but not the
MSN Messenger!
Would the version of MSN have anything to do with how well the rule works?
I remember an older version of snort would log MSN chat no problems...
anyways, thanks for any suggestions!
Ricardo
----- Original Message -----
From: "Brian" <bmc
snort.org>
To: "Derrick Lichti" <dlichtimitra.com>
Cc: "Ricardo Londoņo" <ricardodatawan.net>;
<snort-userslists.sourceforge.net>
Sent: Monday, December 02, 2002 3:42 PM
Subject: Re: [Snort-users] MSN Chat Rule Help
On Mon, Dec 02, 2002 at 04:24:51PM -0500, Derrick Lichti wrote:
> From: Ricardo Londoņo [mailto:ricardodatawan.net]
>> My Current Rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat
access";
>> flow:to_server,established; content:"text/plain"; depth:100;
>> classtype:misc-activity; sid:540; rev:6;)
> alert tcp any 1863 <> $HOME_NET any (msg:"MSN IM Chat Data Logged";
flags:PA;
> content:"|746578742F706C61696E|"; depth:100;)
These are the same signature, except the "official one" is a bit less
crappy.
(Its still crappy and needs revisited, but less so)
"|746578742F706C61696E|" transates to "text/plain". The original content is
much harder to read than the plain ascii version. The "official" rule also
uses
flow instead of flags. I'll look at MSN messenger tonight and see what I
can
come up with.
-brian
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users
-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]