monitoring and/or blocking yahoo messenger at firewall
 

Hi a little help over here please :P

I am setting up a new firewall and boss has requested that ideally Yahoo Messenger is monitored and if that doesnt help or is hard to do then we block it. but looking through all the documents it appears to me that Yahoo have designed it very well (well for them bad for me)

I can block out default ports (5000, 5001, 5050, 5100) which includes the file transfer and webcam ports too... BUT if yahoo doesnt work it seems to go through other ports... 80 for example and if not ANY OTHER AVAILABLE PORT!

I have not actually built up and tested this as we are in the R&D part of the project (a complete office Microsoft to Linux migration) but i want to be sure that its do-able.

I know that ICQ, MSN, AOL and IRC are ok to block through ports.

Anyone got any ideas? Maybe blocking an IP address range (if yahoo uses a unique one)???

It is prefered though that this is Monitored so while i want to know how to block if need be i would really like to know how to monitor use on those ports (of course harder again because it will use any port available) Any suggestions??

Chris

Here's an LQ search for block yahoo messenger.
About logging. All traffic will be coming from wetware-controlled boxen, (you didn't mix human LAN and server DMZ, right?) so there's your source range. Next all traffic is watched by protocol. http://help.yahoo.com/help/us/mesg/twin/twin-15.html tells us YIM uses TCP (HTTP) and UDP, so there's your protocols. The page also shows you the ports. YIM contacts a fixed set of hubs, so there's the destination range.
Only thing to do now is I. restrict traffic by blocking YIM file transfer and video (preserve bandwidth), deny outgoing proxy traffic and II. "sniff" or distinguish different (application layer, right?) protocols like HTTP, SMTP by filtering packets contents and log only the ones YIM uses. Snort should be capable to do this and flexible enough to also use it to block traffic if necessary. Here's some rules I ripped off the 'net as example:


alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000001; rev:1;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000003; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)


There are scripts to convert Snort rules to Netfilter rules, but IMHO that would not be as flexible as using Snort and come with a performance penalty as well. Of course you can set up Iptables rules with LOG targets for the destination ranges/IP's, ports and protocol, but that won't be (IMHO) as detailed as using Snort.