Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Custom Signature for GoogleTalk (Google Talk)

I was wondering if anyone has sucessfully created a custom signature to block GoogleTalk traffic?

Thanks,

Jeremy

7 REPLIES
Cisco Employee

Re: Custom Signature for GoogleTalk (Google Talk)

Did you try blocking talk.google.com?

New Member

Re: Custom Signature for GoogleTalk (Google Talk)

Yes, but the address range used for talk.google.com is also used for blogger.

Instead, I created a custom signature and blocked Regex URI talkgadget.

This does not block the GoogleTalk client though, only the web client.

Gold

Re: Custom Signature for GoogleTalk (Google Talk)

I've never tested, but perhaps you can pilfer from these:

Stolen from Bleeding edge Snort rules:

#by Mark Tombaugh

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;)

New Member

Re: Custom Signature for GoogleTalk (Google Talk)

Well you can always just make the following records on your DNS Server and have it point to the loop-back addy. That should put an end to the google chat client.

talk.google.com - 127.0.0.1

talkx.l.google.com - 127.0.0.1

New Member

Re: Custom Signature for GoogleTalk (Google Talk)

I think that this is the best option as well.

Silver

Re: Custom Signature for GoogleTalk (Google Talk)

Have you tried enabling signature 11204 (Jabber Activity)? I believe this is googletalk traffic below.

evIdsAlert: eventId=1175405913811111111 severity=low vendor=Cisco

originator:

hostId: xxxxxx

appName: sensorApp

appInstanceId: 446

time: 2007/11/05 20:28:19 2007/11/05 20:28:19 UTC

signature: description=Jabber Activity id=11204 version=S47

subsigId: 0

sigDetails: jabber:

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=IN x.x.x.x

port: xxxxx

target:

addr: locality=OUT 209.85.163.125

port: 5222

context:

fromAttacker:

000000 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D 20 74

000010 6F 3D 22 67 6D 61 69 6C 2E 63 6F 6D 22 20 78 6D o="gmail.com" xm

000020 6C 3A 6C 61 6E 67 3D 22 65 6E 22 20 76 65 72 73 l:lang="en" vers

000030 69 6F 6E 3D 22 31 2E 30 22 20 78 6D 6C 6E 73 3A ion="1.0" xmlns:

000040 73 74 72 65 61 6D 3D 22 68 74 74 70 3A 2F 2F 65 stream="http://e

000050 74 68 65 72 78 2E 6A 61 62 62 65 72 2E 6F 72 67 therx.jabber.org

000060 2F 73 74 72 65 61 6D 73 22 20 78 6D 6C 6E 73 3D /streams" xmlns=

000070 22 6A 61 62 62 65 72 "jabber

riskRatingValue: 45

interface: ge2_1

protocol: tcp

New Member

Re: Custom Signature for GoogleTalk (Google Talk)

Yes, this signature will fire but the GoogleTalk client continues to try and connect on different ports (443) until it reconnects.

620
Views
0
Helpful
7
Replies
CreatePlease to create content