Rule:--Sid:1832--Summary:This event is generated when activity relating to network chat clients is detected.--Impact:Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.--Detailed Information:Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicioususers to circumvent the protection offered by a network firewall.Vulnerabilities in these clients may also allow remote attackers to gainunauthorized access to a host. This events indicates that an attempt hasbeen made to add a user to the contact list of Mirabilis' ICQ client viaa specially crafted URI on a website.Certain versions of Mirabilis' ICQ client do not require user intervention before adding another ICQ user to the contact list. It is possible for a client to be added to the contact list via a specially crafted URI without the user's knowledge.--Attack Scenarios:An attacker might utilize this vulnerability in the ICQ client to gain access to a host, then upload a Trojan Horse program to gain control of that host.--Ease of Attack:Simple.--False Positives:None Known--False Negatives:None Known--Corrective Action:Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <brian.caswell@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--