Hosting Provided By

Re: [Snort-sigs] MESSNGR SPAM Sig

From: Phil Lyons <plyons(at)hotmail.com>
Date: Thu May 08 2003 - 11:03:54 EDT

Thanks - I will put this rule in the rule base for my visit to the customer's site. The short story is: he has a good set of firewall rules already in place, I can find no open MS ports. Scanning, etc., yields none. So I am also concerned about a hacked host. By setting up & leaving snort running, I'd like to be able to catch the SPAM source. So, I'd like to have a good rule for this. There are legal concerns onsite as well - i.e., "try viagra", "visit Suzie's house of web cams" showing up on different user's desktops. Maybe someone will get fed up & file something. I suppose it's possible. We are shutting down ms messenger service, but that is really treating the symptom.

I will report back on a successful rule. And will try to provide a pcap if I can from tcpdump.

Phil Lyons

>
>Try this rule out... it looks for a SMB multi-block message.

----->cut

The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Thu May 8 11:59:35 2003

This message: [ Message body ]
Next message: Jason Haar: "Re: [Snort-sigs] Netbios rules are case sensitive?"
Previous message: Nick White: "RE: [Snort-sigs] disable /var/log/snort logging"
Maybe in reply to: Phil Lyons: "[Snort-sigs] MESSNGR SPAM Sig"
In reply to Brian: "Re: [Snort-sigs] MESSNGR SPAM Sig"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT