Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

can not block messengers

Posted on 2003-03-20
11
Medium Priority
?
496 Views
Last Modified: 2011-04-14
Mar 20, 2003, 6:26am PST
I have the following access lists on my pix 6.2

access-list acl_in deny tcp any any eq 1863 (hitcnt=0)
access-list acl_in deny udp any any eq 1863 (hitcnt=0)
access-list acl_in deny ip any 64.4.13.0 255.255.255.0 (hitcnt=0)
access-list acl_in deny ip any 64.4.0.0 255.255.0.0 (hitcnt=0)
access-list acl_in deny udp any any eq 5190 (hitcnt=0)
access-list acl_in deny udp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq 4000 (hitcnt=0)
access-list acl_in deny tcp any any eq aol (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.153 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.53 (hitcnt=0)
access-list acl_in deny ip any host 64.12.161.185 (hitcnt=0)
access-list acl_in deny ip any host 216.136.233.128 (hitcnt=0)
access-list acl_in deny ip any host 216.136.224.142 (hitcnt=0)
access-list acl_in deny ip any host 216.136.225.238 (hitcnt=0)

access-list acl_out deny udp host 64.12.13.0 any
access-list acl_out deny udp any any eq 5190
access-list acl_out deny udp any any eq 1863
access-list acl_out deny tcp any any eq 1863
access-list acl_out deny udp any any eq 4000
access-list acl_out deny tcp any any eq 4000
access-list acl_out deny ip 64.4.13.0 255.255.255.0 any
access-list acl_out deny ip 64.4.0.0 255.255.0.0 any
access-list acl_out deny ip host 64.12.161.153 any
access-list acl_out deny ip host 64.12.161.53 any
access-list acl_out deny ip host 64.12.161.185 any
access-list acl_out deny ip host 216.136.233.128 any
access-list acl_out deny ip host 216.136.224.142 any
access-list acl_out deny ip host 216.136.225.238 any

But, I am not able to block eitehr yahoo messenger, msn messenger, AOL messenger or ICQ. Why so??

The ip addresses above are for the following IP hosts

cs.yahoo.com 216.136.233.128
scsa.yahoo.com 216.136.224.142
msg.edit.yahoo.com 216.136.225.238

msn
IP Range 64.4.13.0/24 or 64.4.0.0. - 64.4.63.255



0
Comment
Question by:net-geek
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8175229
How do you have these acls applied?

i.e.
access-group acl_out in interface outside
access-group acl_in in interface inside

0
 
LVL 1

Expert Comment

by:beerbar
ID: 8181608
It looks like you have left out some servers for AOL, and I would bet the same for the others. Blocking this activity is extremely hard, better to run an IDS like Snort to monitor and report than to block. I know Yahoo changes servers all the time and they use dynamic ports so the conversation is also difficult to track. But if your users know you are watching and know management gets the reports then hopfully that will stop the activity. Mangement needs to act of the reports though, if they ignore it you'll be no better off.
AFAIK current AOL servers
64.12.24.0/24,
64.12.25.0/24,
64.12.26.14/24,
64.12.28.0/24,
64.12.29.0/24,
64.12.161.0/24,
64.12.163.0/24,
205.188.5.0/24,
205.188.9.0/24
0
 
LVL 2

Expert Comment

by:edmonds_robert
ID: 8195351
I've also read that a lot of IM softwares are using port 80 to communicate, which makes it virtually impossible to block unless you know the IP address that yahoo (or whatever) is using today.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:net-geek
ID: 8203100
Irmoore,
here is how I am applying them.
access-group acl_in in interface inside

beerbar,
thanks for the list and advice. I have cisco ids, I will try to see if I can do snoritng with that

yahoo is partially blocked. i mean when i download messenger and try to log in...it says " can not connect"...but then it gives me an option to select if i am using firewall. if i select it and click 'ok' i get through.

Thanks
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8203774
if you have an IDS why not reset the connection with it. all the messengers have certain sigs when they try to login, no matter what port they use.

I use snort to reset the connection to my clients when they use AOL,MSN,ICQ and Yahoo. Works like a charm, I chased my tail to much with my firewall. Maybe you can hit the Cisco IDS list and ask if anyone has a sig for that?
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8203796
I can post snort sigs if you like.
0
 

Author Comment

by:net-geek
ID: 8208048
beerbar,

please post the signatures.

thanks
vikrant
0
 
LVL 1

Accepted Solution

by:
beerbar earned 100 total points
ID: 8210511
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:to_server,established; content:"PRIVMSG "; nocase; offset:0; classtype:misc-activity; sid:1463; rev:3;)

alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; sid:1631; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CHAT Yahoo messenger login"; flags: A+; content:"domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT Yahoo messenger file transfer"; flags: A+; content:"FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8210524
the yahoo line is 2 sigs, at the end on line 1  the word alert starts a new sig
0
 

Author Comment

by:net-geek
ID: 8211066
I am giving you the alloted points. Thanks for your help.
I was just curious as to how to get signatures for a specific applicaation. I mean can I write my own signatures and apply them. This may sound a very trivial question, but I would really appreciate if you take time out to answer.
0
 
LVL 1

Expert Comment

by:beerbar
ID: 8217521
You would need to use a packet sniffer like tcpdump, ethereal. set it up in a test enviornment and on another machine fire up the app in question and watch it go. Sort through the data collected and produce a sig. Sometimes its very simple and sometimes its very difficult. Depends on a whole number of factors.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses
Course of the Month11 days, left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question