[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] scanning for emoticons in MSN messenger?
From: Joel Esler <jesler () sourcefire ! com>
Date: 2010-05-04 11:24:30
Message-ID: k2m314cf0831005040424xf46c9395z632bffa576790d05 () mail ! gmail ! com
[Download RAW message or body]
snort doesn't treat an emoticon as plaintext, an Emoticon IS plain text.
But yes, you'd have to do string check rules.
On Tuesday, May 4, 2010, Eric Zheng <zhengeric@hotmail.com> wrote:
>
>
>
>
>
> Would it be possible to detect when an emoticon is being used without looking at \
> the format of the image being sent? Doing so of course without 10 different string \
> check rules for 10 different emoticons. Basically a single rule to acknowledge \
> that an emoticon has been sent. I'm not sure if it's possible since snort treats \
> an emoticon as plain text (ie, a smiley face is read as ":)" ).
> Date: Mon, 3 May 2010 08:38:48 -0400
> Subject: Re: [Snort-sigs] scanning for emoticons in MSN messenger?
> From: jesler@sourcefire.com
> To: zhengeric@hotmail.com
> CC: snort-sigs@lists.sourceforge.net
>
> Eric,
> You'd have to grab a pcap of traffic to see what format the emoticon is in. Then \
> you could write a simple content signature. Joel
>
> On Mon, May 3, 2010 at 3:07 AM, Eric Zheng <zhengeric@hotmail.com> wrote:
>
>
>
>
>
> I want to see if it's possible to make a rule to look for any custom emoticon being \
> sent over MSN messenger. I believe this is possible since a custom emoticon image \
> has to be sent over the network, but I'm not sure how to look for it (file type \
> matching? but I don't know what format custom emoticons are in). I'm new to snort \
> rules but I have been familiarizing myself with their syntax and usage.
> I believe it would be along the lines of:
>
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected"; <emoticon \
> signature>;)
> Where <emoticon signature> are the requisites to trigger the alert. Port 1863 is \
> used for MSN messenger.
> Any help would be appreciated, thanks!
>
> The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. \
> Get busy. <http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
>
------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic