# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules").  The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved.  All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights).  In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.### $Id: chat.rules,v 1.35.6.3 2007/12/18 19:39:12 vrtbuild Exp $#-------------# CHAT RULES#-------------# These signatures look for people using various types of chat programs (for# example: AIM, ICQ, and IRC) which may be against corporate policyalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; metadata:policy security-ips drop; classtype:policy-violation; sid:541; rev:10;)alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; metadata:policy security-ips drop; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:8;)alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:policy security-ips drop; classtype:policy-violation; sid:540; rev:12;)alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:1986; rev:7;)alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:1988; rev:6;)alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:1989; rev:7;)alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:1990; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; metadata:policy security-ips drop; classtype:policy-violation; sid:1991; rev:3;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; nocase; pcre:"/^\s*NICK/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:542; rev:13;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0; nocase; pcre:"/^\s*PRIVMSG/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:1639; rev:8;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; distance:0; nocase; pcre:"/^\s*PRIVMSG/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:1640; rev:8;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN "; nocase; pcre:"/^\s*JOIN/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:1729; rev:7;)alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; pcre:"/^\s*PRIVMSG/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:1463; rev:8;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; nocase; pcre:"/^\s*USERHOST/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:1789; rev:5;)alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; metadata:policy security-ips drop; classtype:policy-violation; sid:1790; rev:5;)alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; metadata:policy security-ips drop; classtype:policy-violation; sid:1631; rev:9;)alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; metadata:policy security-ips drop; classtype:policy-violation; sid:1633; rev:7;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2450; rev:4;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2451; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2452; rev:5;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2453; rev:4;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2454; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2455; rev:4;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2456; rev:5;)alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:2457; rev:3;)alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2458; rev:4;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:2459; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:policy security-ips drop; classtype:policy-violation; sid:2460; rev:5;)alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; metadata:policy security-ips drop; classtype:policy-violation; sid:2461; rev:5;)alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CHAT Yahoo Messenger File Transfer Initiation Request"; flow:established; content:"/notifyft"; depth:14; nocase; content:"Host|3A| filetransfer.msg.yahoo.com"; nocase; metadata:policy security-ips drop; classtype:policy-violation; sid:3692; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo Messenger Message"; flow:established; content:"YMSG"; depth:4; content:"|00 06|"; depth:2; offset:10; metadata:policy security-ips drop; classtype:policy-violation; sid:3691; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel notice"; flow:to_server,established; content:"NOTICE "; nocase; pcre:"/^\s*NOTICE/smi"; metadata:policy security-ips drop; classtype:policy-violation; sid:6182; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CHAT jabber file transfer request"; flow:established,to_server; content:"xmlns="; nocase; content:"jabber.org/protocol"; distance:0; nocase; content:"file-transfer"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.jabber.org/jeps/jep-0096.html; reference:url,www.xmpp.org; classtype:policy-violation; sid:6468; rev:2;)# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CHAT jabber traffic detected"; flow:established,to_server; content:"jabber|3A|client"; nocase; threshold:type limit,track by_src,count 1,seconds 60; metadata:policy security-ips drop; reference:url,www.xmpp.org; classtype:policy-violation; sid:6467; rev:2;)# alert udp any 1025: -> any 1025: (msg:"CHAT Microsoft Live chat video feed initiation"; content:"H|00 00 00 00 00 00 00 00 00|"; dsize:10; reference:url,ml20rc.msnfanatic.com/vc_1_1/; classtype:policy-violation; sid:12457; rev:1;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"CHAT ebuddy.com login attempt"; flow:established,to_client; content:"Set-Cookie|3A| network="; nocase; content:"Domain=.ebuddy.com"; reference:url,www.ebuddy.com; classtype:policy-violation; sid:12611; rev:1;)