RE: Yahoo Instant Messenger

[<CGhercoias () TWEC COM>]

Here is what you'd want to filter on:
Protocol: TCP or HTTP 
Servers: 
- scs.msg.yahoo.com (216.155.193.182)
- scsa.msg.yahoo.com (216.155.193.183)
- scsb.msg.yahoo.com (216.136.173.184)
- scsc.msg.yahoo.com (216.155.193.141)
Ports: 20,23,25,80,119,5050,8001,8002 
 
Start a sniffer and hook it up to the network you want to protect. Do
some logins, logoffs and write some messages in Yahoo Messenger and see
over which ports is the activity happening.
Then define a variable with Yahoo servers, like:
var YAHOO
[216.155.193.182/32,216.155.193.183/32,216.155.193.184/32,216.155.193.14
1/32] 
 
Add rules, something like:
alert tcp $HOME_NET any -> $YAHOO 5050  

( sid: 1000001; rev: 1; msg: "CHAT Yahoo Message"; flow:
to_server,established; content: "YMSG"; nocase; classtype:
policy-violation;)
 

_________________ 
Catalin, 

Tart words make no friends; a spoonful of honey will catch more flies
than 
a gallon of vinegar. 
-- B. Franklin 

-----Original Message-----
From: Michael Little [mailto:MLittle () bocaresort com] 
Sent: Sunday, January 18, 2004 12:27 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Yahoo Instant Messenger



I see in the current chat rules that there are rules to detect MSN, AOL,
and ICQ. Does any one have a rule or know how to detect Yahoo instant
messenger. I would like to block all instant messenger traffic in my
network. 

Thanks, 
Mike Little 
Director of Network Services.