Hosting Provided By

Re: [Snort-sigs] MESSNGR SPAM Sig

From: Brian <bmc(at)snort.org>
Date: Wed May 07 2003 - 16:56:26 EDT

On Wed, May 07, 2003 at 03:58:39PM +0200, unspawn wrote:
> Doesn't this rule makes Snort behave like some Portsentry wrt the fact
> that it won't do packet scrubbing, just trip on the port?
> I'd think you need to match some content string.
>
> I've this rule in the past for popups to UDP/135:
> alert udp $EXTERNAL_NET any -> $HOME_NET 135 (rpc: 100000,*,4; msg:"RPC \
> ADV - Webpopup (UDP)"; content: "|57 45 42 50 4f 50 55 50|"; \
> reference:<none insert URI>; sid:9000000; classtype:misc-activity; \
> rev:1;)

Thats not going to work as you expect it. The rpc keyword is for Sun RPC. Basicly, you are looking for a portmap dump via the DCE/RPC. DCE/RPC is totally different in implementation than Sun RPC.

-brian

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 7 17:45:48 2003

This message: [ Message body ]
Next message: Matt Kettler: "Re: [Snort-sigs] disable /var/log/snort logging"
Previous message: Nick White: "[Snort-sigs] disable /var/log/snort logging"
In reply to:(deleted message) unspawn: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Next in thread: Gary Flynn: "Re: [Snort-sigs] MESSNGR SPAM Sig"
Reply: Gary Flynn: "Re: [Snort-sigs] MESSNGR SPAM Sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT