'Re: [Snort-sigs] scanning for emoticons in MSN messenger?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] scanning for emoticons in MSN messenger?
From:       Joel Esler <jesler () sourcefire ! com>
Date:       2010-05-04 11:24:30
Message-ID: k2m314cf0831005040424xf46c9395z632bffa576790d05 () mail ! gmail ! com
[Download RAW message or body]

snort doesn't treat an emoticon as plaintext, an Emoticon IS plain text.

But yes, you'd have to do string check rules.

On Tuesday, May 4, 2010, Eric Zheng <zhengeric@hotmail.com> wrote:
> 
> 
> 
> 
> 
> Would it be possible to detect when an emoticon is being used without looking at \
> the format of the image being sent?  Doing so of course without 10 different string \
> check rules for 10 different emoticons.  Basically a single rule to acknowledge \
> that an emoticon has been sent.  I'm not sure if it's possible since snort treats \
> an emoticon as plain text (ie, a smiley face is read as ":)" ). 
> Date: Mon, 3 May 2010 08:38:48 -0400
> Subject: Re: [Snort-sigs] scanning for emoticons in MSN messenger?
> From: jesler@sourcefire.com
> To: zhengeric@hotmail.com
> CC: snort-sigs@lists.sourceforge.net
> 
> Eric,
> You'd have to grab a pcap of traffic to see what format the emoticon is in.  Then \
> you could write a simple content signature. Joel
> 
> On Mon, May 3, 2010 at 3:07 AM, Eric Zheng <zhengeric@hotmail.com> wrote:
> 
> 
> 
> 
> 
> I want to see if it's possible to make a rule to look for any custom emoticon being \
> sent over MSN messenger.  I believe this is possible since a custom emoticon image \
> has to be sent over the network, but I'm not sure how to look for it (file type \
> matching? but I don't know what format custom emoticons are in).  I'm new to snort \
> rules but I have been familiarizing myself with their syntax and usage. 
> I believe it would be along the lines of:
> 
> alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"Emoticon detected"; <emoticon \
> signature>;) 
> Where <emoticon signature> are the requisites to trigger the alert.  Port 1863 is \
> used for MSN messenger. 
> Any help would be appreciated, thanks!
> 		 	   		
> The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. \
> Get busy. <http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
>  
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> 		 	   		
> 
> 

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic