Yahoo messenger the signature are 11208,5539,12675,11200,11212,11217,11218,11219,11221. Most of them are set to information only. You can enable them ask for producing alerts.
For MSN
http://tools.cisco.com/security/center/prsc/searchSignatures.x?vendor=&k=msn&sig_df=&sig_dt=&as=&rsx=&search_button=Search
Check the above link. again most set to information only.
For youtube you could find out its IPaddress range and set up access-list on your ASA to not allow your users access this webpage. Not sure about real video. You would have to get a custom signature for this. I placed an custom sig for kazaa try following same procedure for Real video.
For Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.
Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.
Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)
Custom Signature Settings
- Engine: ATOMIC.IP
- L4 Protocol of UDP
- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00
Create a custom signature based on this:
In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.
Leave the signature turned on for atleast a week or two. And check for results.
HTH
Hoogen
Do rate if this post helps :)