|
|
|
|
Snort Forums Archive
Archive Home » Rules » MSN Rules
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
MSN Rules
Posted by iceburn on March 23, 2005 07:09:10
I've studied the MS Messenger in the chat.rules file. I found it strange that snort didn't identify any MSN related traffic when indeed there was this kind of traffic.
After looking at the rules, you can see that the content examination has a depth limit of 4 bytes. Well that content, at least with the client versions I've has contact, is at offset 55.
After changing the "CHAT MSN message" to:
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; offset:55; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
it worked.
Any comments? How can I find out how old is this rule? |
|
Posted by iceburn on March 24, 2005 00:38:52
nevermind this... how can I delete a post?? How embarassing! |
|
Posted by achva on March 30, 2006 22:41:00
hi anybody!
how can create rule,that if anybody in organization surfing on erotic or porn sites,that snort will screaming to me???
thanks |
|
|
|
|
|
