Hosting Provided By

Re: [Snort-sigs] MESSNGR SPAM Sig

From: Brian <bmc(at)snort.org>
Date: Wed May 07 2003 - 19:05:34 EDT

Try this rule out... it looks for a SMB multi-block message.

alert tcp any any -> any 139 (msg:"SMB Message sent"; flow:to_server,established; content:"SMB|d5|"; offset:4; depth:4;)

-brian

On Tue, May 06, 2003 at 03:32:11PM -0500, Phil Lyons wrote:
> Greetings,

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 7 19:45:58 2003

This message: [ Message body ]
Next message: Nick White: "RE: [Snort-sigs] disable /var/log/snort logging"
Previous message: Gary Flynn: "Re: [Snort-sigs] MESSNGR SPAM Sig"
In reply to: Phil Lyons: "[Snort-sigs] MESSNGR SPAM Sig"
In reply to O'Flynn, Derek: "RE: [Snort-sigs] MESSNGR SPAM Sig"
Reply: Phil Lyons: "Re: [Snort-sigs] MESSNGR SPAM Sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT