[Snort-sigs] 1631 CHAT AIM login false positive

  This rule is fired when a user starts netscape mail and a mailbox is checked. It appears that it has become a habit of netscape to "call home" to port 5190 whenever netscape mail is used and "Get Msgs" is completed. Proof of concept from my system.

C:\>netstat -an | grep 5190
  TCP xxx.xxx.xxx.xxx:xxxx 64.12.25.151:5190 ESTABLISHED

Search results for: 64.12.25.151

OrgName: America Online, Inc.
OrgID: AMERIC-158
Address: 10600 Infantry Ridge Road
City: Manassas
StateProv: VA
PostalCode: 20109
Country: US

I have opted to not use AOL IM and have also disabled automatic launch in the browser preferences. Still, the connection is attempted, established and maintained, resulting in a false positive.

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; d epth:2; classtype:policy-violation; sid:1631; rev:4;)

How could this signature be revised to not fire when a user checks mail using netscape? Changing the destination port will not do it and will only result in missing all valid and in-valid AOL IM logins.

-Terence

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek