SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: IM

IM Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent Instant Messaging based network traffic. Instant Messaging is realtime chatting that users can participate in over the internet using a variety of messaging clients. These client include AOL Instant Messenger (AIM), Yahoo! Instant Messenger, MSN Messenger, and others. Most clients allow users to do more than send text messages to one another: they allow users to post links in profiles and messages, exchange voice and video content, and send trasfer files up to 10MB. While this type of communication can be useful, it can also damage productivity, increase network traffic, and open the network to a variety of threats that exploit client software vulnerabilities or socially engineer users to compromise network security.

While most of the negative impacts of IM traffic on a network have to do with degraded performance through increased traffic, there are several more serious threats. IM applications open ports on computers that make them vulnerable to threats like buffer overflow attacks where attackers can exploit vulnerabilities in the software to take control of client computers. An older version of AIM, for example, made computers vulnerable to an attack through the Buddy Icon feature. An attacker could send another user a buddy icon whose "source" parameter contained more than 3000 characters, overflowing the stack and causing the computer to run arbitrary code. Computers were vulnerable even when the the messenger was not even logged on to a network. In these instances, blocking traffic on the a client's default port is often not enough -- most clients are programmed to try a number of different ports to send messages if one is blocked. Some can even send their traffic over the default HTTP port 80, where packets are often less scrutinized by firewalls.

Other threats involve socially engineering users of IM clients. Several new worms and Trojans have taken advantage of IM networks to propagate. Some send links to malicious code to all users on a victim's buddy list, while others post a link in the victim's profile which is likely to be clicked by that user's buddies. Must like mass mailer worms, these threats can spread quickly over a network and contain a variety of malicious payloads, including opening a backdoor that listens for commands, allowing a remote user to take control of network computers.

Finally, the file transfer functionality of IM clients increase that chance that malicious, buggy, or pirated software will be installed on computers on the network. While users will be recieving files from buddies they trust, the origins of files and software passed around via IM are not verifiable. This can make a network especially vulnerable to Trojan horses which attempt to fool a user into thinking that a malicious program is actually desirable, for example by displaying a picture or playing a video while the malicious processes install.

SonicWALL IM signatures are mostly categorized as low or medium priority. When enabled, these signatures can block IM traffic by preventing login, blocking inbound and outbound messages, and stopping status notifications that IM clients often send to each other. When set to detect, these signatures can be a useful tool to monitor how prevalent IM usage is among users on a network.

  Skype -- Login over TCP
  Skype -- Skype Network Discovery
  ICQ -- TCP Activity
  IRC -- App Feature (Nickname Change)
  IRC -- TCP Activity (Hostname Request)
  IRC -- TCP Activity (Hostname Response)
  AIM -- Login (TCP) 1
  AIM -- App Feature (Messaging)
  AIM -- Login (HTTP) 1
  AIM -- App Feature (File Transfer) 1
  AIM -- App Feature (Audio) 1
  AIM -- App Feature (Audio) 2
  AIM -- App Feature (Video) 1
  AIM -- App Feature (Video) 2
  AIM -- SSL/TLS Activity 1
  Trillian -- HTTP User-Agent
  Demonsaw -- HTTP Activity
  IMVU -- HTTPS Activity
  Google Talk -- HTTPS Activity 1
  Lava Lava -- UDP Activity
  NateOn -- HTTP Activity
  NateOn -- Login
  PalTalk -- HTTP Activity
  PalTalk -- TCP Activity
  PalTalk Express -- HTTP Activity
  Chatango -- HTTP Activity
  Flock Messenger -- HTTPS Activity
  IP Messenger -- HTTPS Activity
  Aliwangwang -- TCP Activity 1
  Aliwangwang -- Proprietary Protocol 1
  Aliwangwang -- Proprietary Protocol 2
  Gadu-Gadu -- Login 1
  Gadu-Gadu -- Login 2
  WhatsApp -- App Feature (Download Document) [Reqs DPI-SSL CI]
  Ares(Y99) Chat -- HTTPS Activity [Reqs DPI-SSL CI]
  AIM -- Login (HTTP) 2
  QQ -- HTTP Activity 1
  QQ -- App Feature (Chat) 7
  Zalo -- App Feature (Chat) 2
  Zalo -- HTTPS Activity 2
  Kakao Talk -- HTTPS Activity (CN kakao.com)
  Zalo -- HTTPS Activity 3
  AIM -- Login (TCP) 2
  AIM -- App Feature (File Transfer) 2
  Zalo -- App Feature (Chat) 3
  Skype -- TCP Activity 6 [Reqs SIDs 5, 7]
  Skype -- UDP Activity 2
  Sohu SOQ -- HTTP Activity
  Sina UC -- HTTP Activity
  Rediff BOL -- HTTP Activity
  Rediff BOL -- DNS Query
  Google Chat -- HTTPS Activity
  Jami -- HTTPS Activity
  Jami -- DNS Query
  AIM -- Login (HTTP) 3
  Digsby -- TCP Activity 1
  Digsby -- TCP Activity 2
  Digsby -- DNS Query (digsby.org)
  Digsby -- TCP Activity 3
  Digsby -- DNS Query (digsby.com)
  Digsby -- SSL/TLS Activity 1
  Baidu Hi -- HTTPS Activity
  Wire -- HTTPS Activity
  Textnow -- HTTPS Activity
  Clubhouse -- HTTPS Activity
  QQ -- HTTPS Activity
  Baidu Hi -- App Update
  Botim -- HTTPS Activity
  Skype -- TCP Activity 1 [Reqs SIDs 5, 7]
  Skype -- TCP Activity 2 [Reqs SIDs 5, 7]
  Skype -- TCP Activity 3 [Reqs SIDs 5, 7]
  Zangi -- HTTPS Activity
  Threema -- HTTPS Activity
  JivoChat -- HTTPS Activity
  QQ -- DNS Query (qq.com)
  QQ -- App Feature (Chat) 5
  SMS Free Sender -- HTTP Activity
  QQ -- App Feature (Chat) 9
  QQ -- App Feature (Chat) 1
  XMPP (Jabber) Protocol -- TCP Activity 1
  XMPP (Jabber) Protocol -- TCP Activity 2
  Kakao Talk -- Proprietary Protocol 1
  QQ -- App Feature (Chat) 8
  Google Talk -- HTTP Activity 2
  Skype -- TCP Activity 7 [Reqs SIDs 5, 7]
  Weblin -- HTTP User-Agent
  Club Cooee -- HTTP Activity
  Club Cooee -- HTTPS Activity
  tChat -- HTTP Activity
  XMPP (Jabber) Protocol -- TCP Activity 3
  Skype -- TCP Activity 4 [Reqs SIDs 5, 7]
  Apple iMessage -- HTTPS Activity
  QQ -- DNS Query (tencent.com)
  QQ -- App Feature (Chat) 6
  Facebook Messenger -- HTTP User-Agent [Reqs DPI-SSL]
  Facebook Messenger -- HTTP Activity 2 [Reqs DPI-SSL]
  Facebook Messenger -- SSL/TLS Activity 1
  QQ -- App Feature (Chat) 2
  Omegle -- HTTPS Activity
  QQ -- App Feature (Chat) 3
  QQ -- App Update 1
  Apple iMessage -- HTTP Activity
  TinyChat -- HTTP Activity
  AIM -- SSL/TLS Activity 3
  Adium -- HTTP User-Agent
  Skype -- TCP Activity 5 [Reqs SIDs 5, 7]
  Zalo -- DNS Query 1
  Zalo -- HTTPS Activity
  Trillian -- HTTP Activity
  Trillian -- HTTPS Activity
  QQ -- App Feature (File Transfer) 1
  Fetion -- HTTP Activity
  Fetion -- HTTP User-Agent
  Fetion -- TCP Activity
  AIM -- SSL/TLS Activity 4
  Novell Messenger -- Login
  Novell Messenger -- TCP Activity
  IMO IM -- Login 1
  Facebook Messenger -- SSL/TLS Activity 2
  AIM -- SSL/TLS Activity 2
  Digsby -- SSL/TLS Activity 2
  Digsby -- TCP Activity 4
  Digsby -- SSL/TLS Activity 3
  Google Talk -- HTTPS Activity 3
  Apple iMessage -- DNS Query
  Apple iMessage -- UDP Activity 1
  Apple iMessage -- UDP Activity 2
  Aliwangwang -- TCP Activity 2
  XMPP (Jabber) Protocol -- TCP Activity 4
  Facebook Messenger -- HTTP Activity 1 [Reqs DPI-SSL]
  Skype -- UDP Activity 1
  Skype -- TCP Activity 8 [Reqs SIDs 5, 7]
  IMO IM -- HTTP Activity
  IMO IM -- DNS Query
  Kakao Talk -- UDP Activity (Call Signalling) 1
  QQ -- App Feature (File Transfer) 2
  IMO IM -- Login 2
  IMO IM -- Login 3
  WhatsApp -- HTTPS Activity 1
  WhatsApp -- DNS Query
  TextPlus -- DNS Query
  TextPlus -- HTTPS Activity
  Viber -- DNS Query
  Viber -- SSL/TLS Activity
  NateOn -- DNS Query (nate.com)
  NateOn -- App Feature (Chat) 1
  NateOn -- App Feature (Chat) 2
  NateOn -- App Feature (File Transfer)
  NateOn -- App Feature (Remote Desktop) 1
  NateOn -- App Feature (Remote Desktop) 2
  TextMe -- HTTP Activity
  QQ -- App Update 2
  QQ -- App Feature (File Transfer) 3
  QQ -- App Feature (File Transfer) 4
  WhatsApp -- Proprietary Protocol 1
  QQ -- HTTP Activity 2
  Google Talk -- DNS Query
  Google Talk -- Client Request (Jabber)
  Google Talk -- Server Response (Jabber)
  Google Talk -- HTTP Activity 1
  GO SMS -- DNS Query
  GO SMS -- HTTP Activity
  GO SMS -- XMPP Activity
  Kakao Talk -- DNS Query (kakao.com)
  Kakao Talk -- HTTP Activity (kakao.com)
  Kakao Talk -- HTTPS Activity (kakao.com)
  Kik Messenger -- DNS Query
  Kik Messenger -- HTTP Activity
  Kik Messenger -- HTTPS Activity
  TextMe -- HTTPS Activity
  Kakao Talk -- HTTP Activity (kakao.co.kr)
  QQ -- App Feature (Voice/Video Call) 1
  QQ -- App Feature (Voice/Video Call) 6
  QQ -- App Feature (Voice/Video Call) 7
  QQ -- App Feature (Voice/Video Call) 8
  QQ -- App Feature (Voice/Video Call) 2
  QQ -- App Feature (Voice/Video Call) 3
  Yik Yak -- DNS Query 1
  IMVU -- HTTP Activity
  Kakao Talk -- DNS Query (kakaocdn.net)
  Kakao Talk -- HTTPS Activity (open.kakao.com)
  Kakao Talk -- Proprietary Protocol 2
  Kakao Talk -- HTTPS Activity (kakao.co.kr)
  Kakao Talk -- HTTPS Activity (talk-pilsner.kakao.com)
  Google Talk -- HTTPS Activity 2
  Yik Yak -- HTTP Activity
  Yik Yak -- DNS Query 2
  Whisper -- DNS Query 1
  Whisper -- DNS Query 2
  Whisper -- HTTP Activity
  Whisper -- HTTPS Activity
  After School -- HTTP Activity
  Wickr -- DNS Query
  Zalo -- App Feature (File Transfer)
  After School -- HTTPS Activity
  NetEase PoPo -- HTTP Activity
  Signal -- DNS Query
  Signal -- HTTPS Activity 1
  Signal -- HTTPS Activity 2
  Telegram Messenger -- DNS Query
  Telegram Messenger -- HTTPS Activity
  WhatsApp -- HTTPS Activity 2
  WhatsApp -- Proprietary Protocol 2
  QQ -- App Feature (Voice/Video Call) 4
  QQ -- App Feature (Voice/Video Call) 9
  QQ -- App Feature (Voice/Video Call) 5
  GroupMe -- DNS Query
  GroupMe -- SSL/TLS Activity
  WhatsApp -- App Feature (Upload Activity) 1 [Reqs DPI-SSL CI]
  Confide Messenger -- HTTPS Activity
  Sarahah -- HTTPS Activity
  WhatsApp -- App Feature (Upload Activity) 2 [Reqs DPI-SSL CI]
  WhatsApp -- Proprietary Protocol 3
  QQ -- App Feature (Chat) 4
  QQ -- Mobile Client 1
  QQ -- Mobile Client 2
  QQ -- Mobile Client 3
  QQ -- Mobile Client 4
  WhatsApp -- Proprietary Protocol 4
  WhatsApp -- Proprietary Protocol 5
  WhatsApp -- HTTP Activity 1
  WhatsApp -- HTTP Activity 2
  WhatsApp -- HTTP Activity 3
  Telegram Messenger -- HTTP Activity
  QQ -- Mobile Client 5
  QQ -- HTTP Activity 3
  QQ -- HTTP Activity 4
  QQ -- Mobile Client 6
  QQ -- HTTP Activity 5
  Zalo -- DNS Query 2
  Zalo -- App Feature (Chat) 1
  Kakao Talk -- HTTPS Activity (katalk.kakao.com)
  WhatsApp -- HTTPS Activity 3
  WhatsApp -- App Feature (Download Image) [Reqs DPI-SSL CI]
  WhatsApp -- App Feature (Download Video) [Reqs DPI-SSL CI]
  BiP -- HTTP Activity 1
  BiP -- HTTP Activity 2
  BiP -- HTTPS Activity 1
  BiP -- HTTPS Activity 2
  BiP -- HTTPS Activity 3


Relevant Information