Detecting IM
Problem
We have a problem with users chatting over Instant Messenger networks. How can we detect when they are using the applications so that we can catch them in the act?
Solution
The following few examples track AOL IM, Yahoo! IM, and MSN IM usage on the network.
AOL IM
While AOL IM is one of the most aggressive IM clients, it must be able to communicate with a specific server, login.ocsar.aol.com. However, oscar uses quite a bit of IP space when traversing corporate networks. So the snort.conf default variable AIM_SERVERS catches the AIM protocol in use when connecting to the known servers. Feel free to submit IP addresses back to Snort as you find more AIM servers.
# This will detect when the client is logging into AOL Alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"Chat AIM login"; flow:to_ server,established; content:"*01|"; depth:2; classtype: policy-violation; sid:1632; rev:1;)
The following rule logs all traffic between AIM clients. If you have AIM users, you'll soon be flooded with alarms, but it may at least yield some interesting results.
Alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"Chat AIM Message"; Flow:from_client,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype: policy-violation; sid:1633; rev:6;)
You can also detect and block port 5190/tcp, as this is the default port AIM uses to communicate.
Yahoo! IM (YIM)
Next is Yahoo! IM (YIM). While YIM is not quite as aggressive in its determination to get out, it does have one feature that will drive you nuts. It's crazy about keeping proper time. On one network, we have a YIM event about every 30 seconds when someone is using it! So our rule to detect YIM is again looking for the protocol even when trying to avoid the default port of 5050/tcp.
# This rule will fire on the binary data from the YIM client itself alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Chat Yahoo IM login"; flow:from_client,established; content:"|70 61 74 83 d2 f3 b2 06 46 f6 d6 61 9e 3d 2e|"; classtype:policy-violation; sid:10570; rev:1;)
While this example tracked the application protocol, the following rule is looking for an actual conversation in the flow. This rule will filter out packets that have a TCP payload of less than 52 bytes to help reduce false positives. The snort keyword dsize allows us to filter packets based on a byte size of the TCP payload data
alert tcp $HOME_NET any -> any any (msg:"Chat Yahoo IM Message"; flow:to_ server,established; content:"YMSG"; dsize:>52; content: "TYPING"; sid:10571; rev:1;)
MSN IM
This client is very hard to identify on the network. Since MS integrates its IM client with the clients for users' Hotmail and MSN Mail accounts and uses the unified passport login system, distinguishing IM traffic from normal MSN traffic is a problem. Your only defense is to look for MSN traffic over the default port of 1863/tcp, and then try to determine if the traffic is a result of chat or mail connections.
Alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"Chat MSN IM message"; flow:established; content:"MSG"; depth:4; content: "Content-Type|3A|"; distance:0; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
The following rule looks for a file transferred over the MSN IM protocol. This is one way for viruses to appear on workstation machines, even though you have no record of them passing through email or file servers.
alert tcp $HOME_NET an <> $EXTERNAL_NET 1863 (msg:"Chat MSN IM file transfer accept";flow:established; content:"MSG"; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1; classtype: policy-violation; sid:1988; rev:3;)
Discussion
Instant Messenger is a part of the normal work flow for some organizations. For example, in the financial world, IM is allowed, provided all communications are logged for SEC records. However, for other corporations, IM is just another way that people avoid work and possibly steal corporate information. It can be threat to your network since new viruses and Trojans have exploits through IM to bypass strict border security measures.
Another threat is that most of the IM services have Java or web clients that require no installation and run entirely from the browser. This makes them much harder to identify. Sites like p2pchat.net may send chills down your spine if you're concerned about IM security. Some sites allow encrypted access using SSL and anonymous chatting over a web interface. A determined user could use these via a number of proxies to bypass your security measures.
The best hope an organization has for this type of traffic is to use other countermeasures to block it, such as content-based web proxies, DNS blocks of known IM and IM-supporting sites, and perimeter blocking of known IP space for IM servers.
See Also
Snort-sigs mailing list
Detecting P2P
|