Re: [Snort-sigs] MESSNGR SPAM Sig

From: Gary Flynn <flynngn(at)jmu.edu>
Date: Wed May 07 2003 - 17:51:31 EDT

Brian wrote:

> On Wed, May 07, 2003 at 03:58:39PM +0200, unspawn wrote:
> 

>>Doesn't this rule makes Snort behave like some Portsentry wrt the fact
>>that it won't do packet scrubbing, just trip on the port?
>>I'd think you need to match some content string.
>>
>>I've this rule in the past for popups to UDP/135:
>>alert udp $EXTERNAL_NET any -> $HOME_NET 135 (rpc: 100000,*,4; msg:"RPC \
>>ADV - Webpopup (UDP)"; content: "|57 45 42 50 4f 50 55 50|"; \
>>reference:<none insert URI>; sid:9000000; classtype:misc-activity; \
>>rev:1;)

> 
> 
> Thats not going to work as you expect it.  The rpc keyword is for Sun
> RPC.  Basicly, you are looking for a portmap dump via the DCE/RPC.
> DCE/RPC is totally different in implementation than Sun RPC. 

Brian's right.

There are some links to MS-RPC programming information and tools at the bottom of the web site below. If you can't capture the SPAM packets themselves, you can probably use the tools to "ping" the messenger service and get some information from that.

http://www.jmu.edu/computing/security/info/winmsg.shtml

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Wed May 7 18:49:34 2003