File: 2456.txt

package info (click to toggle)
snort 2.9.15.1-5
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 59,656 kB
  • sloc: ansic: 310,441; sh: 13,260; makefile: 2,943; yacc: 497; perl: 496; lex: 261; sed: 14
file content (52 lines) | stat: -rw-r--r-- 1,353 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Rule:

--
Sid:
2456

--
Summary:
This event is generated when a host in your network that has Yahoo Instant Messenger running attempts to send a file to another Yahoo IM user. 

--
Impact:
Possible policy violation.  Instant Messenger programs may not be appropriate in certain network environments.

--
Detailed Information:
It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor.  Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy.  This may also provide a less scrutinized means of sharing unauthorized or inappropriate files with others. 

--
Affected Systems:
Any host running Yahoo Instant Messenger.

--
Attack Scenarios:
A Yahoo IM user may unwittingly accept a malicious file.

--
Ease of Attack:
Easy to transfer a malicious file.

--
False Positives:
None Known.

--
False Negatives:
It may be possible for Yahoo IM traffic to use other ports than the default expected ones.  

--
Corrective Action:
Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients.

--
Contributors:
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>
--
Additional References:
Yahoo Protocol
http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm

--