Use snort flexresp to reset conns or snort-inline (with honeywall)
Unsure if you could manipulate fw ngai to drop on content types below.
Regards
Eric Appelboom
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; nocase; distance:0;
content:"text/x-msmsgsinvite"; nocase; distance:0;
content:"Application-Name\:"; content:"File Transfer"; nocase;
distance:0; classtype:policy-violation; sid:1986; rev:1; resp:
rst_all;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer accept"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:"; content:"ACCEPT"; distance:1;
classtype:policy-violation; sid:1988; rev:1; resp: rst_all;) alert tcp
$HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer
reject"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:"; content:"CANCEL"; distance:0;
content:"Cancel-Code\:"; nocase; content:"REJECT"; nocase; distance:0;
classtype:policy-violation; sid:1989; rev:1; resp: rst_all;)
-----Original Message-----
From: Edwin Davidson [mailto:EDavidson AT PRIMEINC DOT COM]
Sent: 21 May 2004 10:08 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] MSN IM Data transfer blocking
I'm not sure about MSN, but with AOL you have a HKCU registry setting
for all this stuff. You can set the registry setting so that file
transfer is disabled. Using an OPSEC product
(www.opswat.com???) you might be able to specify that this registry
setting must be set to disabled to be able to use instant messenger.
Just an idea. We block all MSN, and we use Zenworks to disable file
transfers on AOL AIM via the registry.
http://www.primeinc.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error please reply to the sender of
the message.
The views expressed in this correspondence may not reflect the views of
Prime, Inc.
This footnote also confirms that this email message has been scanned for
the presence of computer viruses.
**********************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
