Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1375
Views
0
Helpful
7
Replies

Custom Signature for GoogleTalk (Google Talk)

jeremyarcher
Level 1
Level 1

‎11-02-2007 11:50 AM - edited ‎03-10-2019 03:51 AM

I was wondering if anyone has sucessfully created a custom signature to block GoogleTalk traffic?

Thanks,

Jeremy

Labels:
0 Helpful
7 Replies 7

mzeiser
Cisco Employee
Cisco Employee

‎11-04-2007 06:42 PM

Did you try blocking talk.google.com?

0 Helpful

jeremyarcher
Level 1
Level 1
In response to mzeiser

‎11-05-2007 07:27 AM

Yes, but the address range used for talk.google.com is also used for blogger.

Instead, I created a custom signature and blocked Regex URI talkgadget.

This does not block the GoogleTalk client though, only the web client.

0 Helpful

mhellman
Level 7
Level 7
In response to jeremyarcher

‎11-05-2007 07:59 AM

I've never tested, but perhaps you can pilfer from these:

Stolen from Bleeding edge Snort rules:

#by Mark Tombaugh

alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;)

0 Helpful

info
Level 1
Level 1

‎11-05-2007 11:05 AM

Well you can always just make the following records on your DNS Server and have it point to the loop-back addy. That should put an end to the google chat client.

talk.google.com - 127.0.0.1

talkx.l.google.com - 127.0.0.1

0 Helpful

jeremyarcher
Level 1
Level 1
In response to info

‎11-05-2007 01:11 PM

I think that this is the best option as well.

0 Helpful

attmidsteam
Level 1
Level 1

‎11-05-2007 01:05 PM

Have you tried enabling signature 11204 (Jabber Activity)? I believe this is googletalk traffic below.

evIdsAlert: eventId=1175405913811111111 severity=low vendor=Cisco

originator:

hostId: xxxxxx

appName: sensorApp

appInstanceId: 446

time: 2007/11/05 20:28:19 2007/11/05 20:28:19 UTC

signature: description=Jabber Activity id=11204 version=S47

subsigId: 0

sigDetails: jabber:

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=IN x.x.x.x

port: xxxxx

target:

addr: locality=OUT 209.85.163.125

port: 5222

context:

fromAttacker:

000000 3C 73 74 72 65 61 6D 3A 73 74 72 65 61 6D 20 74

000010 6F 3D 22 67 6D 61 69 6C 2E 63 6F 6D 22 20 78 6D o="gmail.com" xm

000020 6C 3A 6C 61 6E 67 3D 22 65 6E 22 20 76 65 72 73 l:lang="en" vers

000030 69 6F 6E 3D 22 31 2E 30 22 20 78 6D 6C 6E 73 3A ion="1.0" xmlns:

000040 73 74 72 65 61 6D 3D 22 68 74 74 70 3A 2F 2F 65 stream="http://e

000050 74 68 65 72 78 2E 6A 61 62 62 65 72 2E 6F 72 67 therx.jabber.org

000060 2F 73 74 72 65 61 6D 73 22 20 78 6D 6C 6E 73 3D /streams" xmlns=

000070 22 6A 61 62 62 65 72 "jabber

riskRatingValue: 45

interface: ge2_1

protocol: tcp

0 Helpful

jeremyarcher
Level 1
Level 1
In response to attmidsteam

‎11-05-2007 01:08 PM

Yes, this signature will fire but the GoogleTalk client continues to try and connect on different ports (443) until it reconnects.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card