?
Solved

can not block messengers

Posted on 2003-03-20
11
Medium Priority
?
492 Views
Last Modified: 2011-04-14
Mar 20, 2003, 6:26am PST
I have the following access lists on my pix 6.2

access-list acl_in deny tcp any any eq 1863 (hitcnt=0)
access-list acl_in deny udp any any eq 1863 (hitcnt=0)
access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)
access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)
access-list acl_in deny udp any any eq 5190 (hitcnt=0)
access-list acl_in deny udp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq aol (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)
access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)
access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)
access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)

access-list acl_out deny udp host 64.12.13.0 any
access-list acl_out deny udp any any eq 5190
access-list acl_out deny udp any any eq 1863
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny udp any any eq 4000
access-list acl_out deny tcp any any eq 4000
access-list acl_out deny ip 64.4.13.0 255.255.255.0 any
access-list acl_out deny ip 64.4.0.0 255.255.0.0 any
access-list acl_out deny ip host 64.12.161.153 any
access-list acl_out deny ip host 64.12.161.53 any
access-list acl_out deny ip host 64.12.161.185 any
access-list acl_out deny ip host 216.136.233.128 any
access-list acl_out deny ip host 216.136.224.142 any
access-list acl_out deny ip host 216.136.225.238 any

But, I am not able to block eitehr yahoo messenger, msn messenger, AOL messenger or ICQ. Why so??

The ip addresses above are for the following IP hosts

cs.yahoo.com 216.136.233.128
scsa.yahoo.com 216.136.224.142
msg.edit.yahoo.com 216.136.225.238

msn
IP Range 64.4.13.0/24 or 64.4.0.0. - 64.4.63.255



0
Comment
Question by:net-geek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8175229
How do you have these acls applied?

i.e.
access-group acl_out in interface outside
access-group acl_in in interface inside

0
 
LVL 1

Expert Comment

by:beerbar
ID: 8181608
It looks like you have left out some servers for AOL, and I would bet the same for the others. Blocking this activity is extremely hard, better to run an IDS like Snort to monitor and report than to block. I know Yahoo changes servers all the time and they use dynamic ports so the conversation is also difficult to track. But if your users know you are watching and know management gets the reports then hopfully that will stop the activity. Mangement needs to act of the reports though, if they ignore it you'll be no better off.
AFAIK current AOL servers
64.12.24.0/24,
64.12.25.0/24,
64.12.26.14/24,
64.12.28.0/24,
64.12.29.0/24,
64.12.161.0/24,
64.12.163.0/24,
205.188.5.0/24,
205.188.9.0/24
0
 
LVL 2

Expert Comment

by:edmonds_robert
ID: 8195351
I've also read that a lot of IM softwares are using port 80 to communicate, which makes it virtually impossible to block unless you know the IP address that yahoo (or whatever) is using today.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 

Author Comment

by:net-geek
ID: 8203100
Irmoore,
here is how I am applying them.
access-group acl_in in interface inside

beerbar,
thanks for the list and advice. I have cisco ids, I will try to see if I can do snoritng with that

yahoo is partially blocked. i mean when i download messenger and try to log in...it says " can not connect"...but then it gives me an option to select if i am using firewall. if i select it and click 'ok' i get through.

Thanks
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8203774
if you have an IDS why not reset the connection with it. all the messengers have certain sigs when they try to login, no matter what port they use.

I use snort to reset the connection to my clients when they use AOL,MSN,ICQ and Yahoo. Works like a charm, I chased my tail to much with my firewall. Maybe you can hit the Cisco IDS list and ask if anyone has a sig for that?
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8203796
I can post snort sigs if you like.
0
 

Author Comment

by:net-geek
ID: 8208048
beerbar,

please post the signatures.

thanks
vikrant
0
 
LVL 1

Accepted Solution

by:
beerbar earned 100 total points
ID: 8210511
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; classtype:misc-activity; sid:1463; rev:3;)

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; sid:1631; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CHAT Yahoo messenger login"; flags: A+; content:"domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT Yahoo messenger file transfer"; flags: A+; content:"FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8210524
the yahoo line is 2 sigs, at the end on line 1  the word alert starts a new sig
0
 

Author Comment

by:net-geek
ID: 8211066
I am giving you the alloted points. Thanks for your help.
I was just curious as to how to get signatures for a specific applicaation. I mean can I write my own signatures and apply them. This may sound a very trivial question, but I would really appreciate if you take time out to answer.
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8217521
You would need to use a packet sniffer like tcpdump, ethereal. set it up in a test enviornment and on another machine fire up the app in question and watch it go. Sort through the data collected and produce a sig. Sometimes its very simple and sometimes its very difficult. Depends on a whole number of factors.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question