Menu
▾
▴
Re: [Snort-inline-users] msn messenger problem
|
From: Victor J. <vi...@nk...> - 2004-07-06 11:39:56
|
Hi William, Thanx for your reply. On Tuesday 06 July 2004 06:32, you wrote: > Look through your logs, there are certian rules that detect msn-messenger > logon attemtps, if you have converted all rules to drop messenger would > stop working. My logs don't show anything about msn messenger. So if snort_inline is blocking msn in some way, it does so without telling me. I also tried aMsn and Gaim and the same thing happens. I got this when running Gaim in debug mode: <snipped entire login procedure> msn: C: PNG msn: S: QNG 41 msn: C: PNG msn: S: QNG 46 msn: C: PNG msn: S: QNG 44 msn: C: PNG msn: S: QNG 40 msn: C: PNG msn: S: QNG 40 msn: C: PNG msn: S: QNG 43 msn: C: PNG msn: S: QNG 42 msn: C: PNG msn: S: QNG 47 I think 'C' is the client. It does some kind of keep-a-live i think. After a 'PNG' (ping?) the server responds everytime. Then without notice or message, the server stops responding, and finally disconnects. msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG msn: C: PNG account: Disconnecting account 0x8198ae0 connection: Disconnecting connection 0x82ba848 server: removing NOP I get no message what-so-ever in any log (snort, iptables, syslog). Could this have something to do with: 1. preprocessor flow 2. preprocessor stream4 3. preprocessor stream4_reassemble Maybe some internal time-out in snort_inline? Note that i don't have this problem when only iptables handles msn (with -j ACCEPT). Regards, Victor > > Regards, > > Will > > packescrubber:/etc/snort# grep MSN * > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN > message"; flow:established; content:"MSG "; depth:4; > content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; > classtype:policy-violation; sid:540; rev:11;) > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file > transfer request"; flow:established; content:"MSG "; depth:4; > content:"Content-Type|3A|"; distance:0; nocase; > content:"text/x-msmsgsinvite"; distance:0; nocase; > content:"Application-Name|3A|"; content:"File Transfer"; distance:0; > nocase; classtype:policy-violation; sid:1986; rev:4;) > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file > transfer accept"; flow:established; content:"MSG "; depth:4; > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; > distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1; > classtype:policy-violation; sid:1988; rev:3;) > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file > transfer reject"; flow:established; content:"MSG "; depth:4; > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; > distance:0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance:0; > content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; nocase; > classtype:policy-violation; sid:1989; rev:4;) > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user > search"; flow:to_server,established; content:"CAL "; depth:4; nocase; > classtype:policy-violation; sid:1990; rev:1;) > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN > login attempt"; flow:to_server,established; content:"USR "; depth:4; > nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; > sid:1991; rev:1;) > sid-msg.map:540 || CHAT MSN message > sid-msg.map:1986 || CHAT MSN file transfer request > sid-msg.map:1988 || CHAT MSN file transfer accept > sid-msg.map:1989 || CHAT MSN file transfer reject > sid-msg.map:1990 || CHAT MSN user search > sid-msg.map:1991 || CHAT MSN login attempt > > > > Victor Julien > <vi...@nk...> > Sent by: To > snort-inline-user sno...@li...urceforg > s-...@li...u e.net > rceforge.net cc > > Subject > 07/01/2004 02:00 [Snort-inline-users] msn messenger > PM problem > > > > > > > > > > > Hi, > > I 'm testing snort_inline to filter my outgoing traffic. Http, ftp, pop3 > work > fine so far, however msn-messenger does not. I'm using Kopete (kde 3.2.2, > debian-testing) with msn-plugin. The plugin just dies after some 5 minutes > or > so. This does not happen when msn works just with iptables. Is there any > known problem with msn and snort_inline? > > Regards, > Victor > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
