[c-nsp] Cisco IPS 5.1 - MSN Messenger detection (through http)

Velasquez Venegas Jaime Omar jaime at ulima.edu.pe
Thu Nov 16 12:08:06 EST 2006


Hi.
We have recently upgraded to Cisco IPS 5.1 and been checking signatures
related to instant messaging since we've been tasked to keep some pcs
from establishing msn messenger connections.
These are the signatures (among others) we have found that would prevent
msn messenger connections:

11222.0 MSN Login 
11211.0 MSN Messenger Through HTTP Proxy 
11211.1 MSN Messenger Through HTTP Proxy

According to cisco ,the first signature fires when an MSN client login
to the default TCP port 1863 is detected.
(https://mynoc.calence.com/enportal-custom/NSDB/html/sig_11201_0.html)
Two other ones,do the same when detecting ussage of a MSN Messenger
client via a HTTP proxy.
(https://mynoc.calence.com/enportal-custom/NSDB/html/sig_11211_0.html)

We have been doing some tests with no results.
Since a capture of traffic from a msn messenger client session shows
connection through tcp/80,i've been looking for additional signatures in
Cisco IPS 5.1 that detects this behaviour to no avail.

Any help?

Thanks.












More information about the cisco-nsp mailing list