Hosting Provided By

RE: [Snort-sigs] MESSNGR SPAM Sig

From: O'Flynn, Derek <DOFlyn(at)lsuhsc.edu>
Date: Tue May 06 2003 - 17:09:59 EDT

Derek

-----Original Message-----
From: O'Flynn, Derek [mailto:DOFlyn@lsuhsc.edu] Sent: Tuesday, May 06, 2003 3:59 PM
To: 'Phil Lyons'; snort-sigs@lists.sourceforge.net Subject: RE: [Snort-sigs] MESSNGR SPAM Sig

We were getting them quite frequently. I was able to locate UDP port 135 as the culprit. I ran a sniffer trace all day on UDP port 135 before putting up my firewall, and only picked up the messages. They could use the other Netbios ports as well, but haven't had much luck catching them on those ports.
alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";) Derek
-----Original Message-----
From: Phil Lyons [mailto:plyons@hotmail.com <mailto:plyons@hotmail.com> ] Sent: Tuesday, May 06, 2003 3:32 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] MESSNGR SPAM Sig
Greetings,
I would like to use a snort sensor to catch the messenger SPAM coming in off

the Internet. I have searched & probably missed this signature. If one exists, could someone direct me to it? If not, could someone forward

a PCAP for it? I would be glad to post a rule back. If not, I have my attempts which catch messenger messages, but w/o a PCAP, I

am not sure whether it is going to work. I am going to be travelling to a site which has this problem, and would like to have the sigs in my snort laptop in advance.
My go at this from using different NET SEND (from my local.rules): alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch"; content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;) alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast SPAM

watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;)

Do you need help?

Best Regards,
Phil Lyons

Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
<http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963>

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 6 17:57:41 2003

This message: [ Message body ]
Next message: Phil Lyons: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Maybe in reply to: Phil Lyons: "[Snort-sigs] MESSNGR SPAM Sig"
In reply to O'Flynn, Derek: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Next in thread: unspawn: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Reply:(deleted message) unspawn: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Reply: Phil Lyons: "RE: [Snort-sigs] MESSNGR SPAM Sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT