cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1202
Views
0
Helpful
7
Replies

Custom Signature for GoogleTalk (Google Talk)

jeremyarcher
Level 1
Level 1

I was wondering if anyone has sucessfully created a custom signature to block GoogleTalk traffic?

Thanks,

Jeremy

7 Replies 7

mzeiser
Cisco Employee
Cisco Employee

Did you try blocking talk.google.com?

Yes, but the address range used for talk.google.com is also used for blogger.

Instead, I created a custom signature and blocked Regex URI talkgadget.

This does not block the GoogleTalk client though, only the web client.

I've never tested, but perhaps you can pilfer from these:

Stolen from Bleeding edge Snort rules:

#by Mark Tombaugh

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;)

info
Level 1
Level 1

Well you can always just make the following records on your DNS Server and have it point to the loop-back addy. That should put an end to the google chat client.

talk.google.com - 127.0.0.1

talkx.l.google.com - 127.0.0.1

I think that this is the best option as well.

attmidsteam
Level 1
Level 1

Have you tried enabling signature 11204 (Jabber Activity)? I believe this is googletalk traffic below.

evIdsAlert: eventId=1175405913811111111 severity=low vendor=Cisco

originator:

hostId: xxxxxx

appName: sensorApp

appInstanceId: 446

time: 2007/11/05 20:28:19 2007/11/05 20:28:19 UTC

signature: description=Jabber Activity id=11204 version=S47

subsigId: 0

sigDetails: jabber:

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=IN x.x.x.x

port: xxxxx

target:

addr: locality=OUT 209.85.163.125

port: 5222

context:

fromAttacker:

000000 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D 20 74

000010 6F 3D 22 67 6D 61 69 6C 2E 63 6F 6D 22 20 78 6D o="gmail.com" xm

000020 6C 3A 6C 61 6E 67 3D 22 65 6E 22 20 76 65 72 73 l:lang="en" vers

000030 69 6F 6E 3D 22 31 2E 30 22 20 78 6D 6C 6E 73 3A ion="1.0" xmlns:

000040 73 74 72 65 61 6D 3D 22 68 74 74 70 3A 2F 2F 65 stream="http://e

000050 74 68 65 72 78 2E 6A 61 62 62 65 72 2E 6F 72 67 therx.jabber.org

000060 2F 73 74 72 65 61 6D 73 22 20 78 6D 6C 6E 73 3D /streams" xmlns=

000070 22 6A 61 62 62 65 72 "jabber

riskRatingValue: 45

interface: ge2_1

protocol: tcp

Yes, this signature will fire but the GoogleTalk client continues to try and connect on different ports (443) until it reconnects.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: