Here's an LQ search for
block yahoo messenger.
About logging. All traffic will be coming from wetware-controlled boxen, (you didn't mix human LAN and server DMZ, right?) so there's your
source range. Next all traffic is watched by protocol.
http://help.yahoo.com/help/us/mesg/twin/twin-15.html tells us YIM uses TCP (HTTP) and UDP, so there's your
protocols. The page also shows you the ports. YIM contacts a fixed set of hubs, so there's the
destination range.
Only thing to do now is I. restrict traffic by blocking YIM file transfer and video (preserve bandwidth), deny outgoing proxy traffic and II. "sniff" or distinguish different (application layer, right?) protocols like HTTP, SMTP by
filtering packets contents and log only the ones YIM uses. Snort should be capable to do this and flexible enough to also use it to block traffic if necessary. Here's some rules I ripped off the 'net as example:
alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"INFO Yahoo messenger login"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000001; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Yahoo messenger login through port 80"; flags: A+; content: "domain=.yahoo.com"; content: "YMSG"; classtype:misc-activity; sid:1000002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 119 (msg:"INFO Yahoo messenger file transfer"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000003; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"INFO Yahoo messenger file transfer through port 80"; flags: A+; content: "FILEXFER"; content: "YMSG"; classtype:misc-activity; sid:1000004; rev:1;)
There are scripts to convert Snort rules to Netfilter rules, but IMHO that would not be as flexible as using Snort and come with a performance penalty as well. Of course you can set up Iptables rules with LOG targets for the destination ranges/IP's, ports and protocol, but that won't be (IMHO) as detailed as using Snort.