[Snort-sigs] MESSNGR SPAM Sig
plyons at ...12...
Tue May 6 13:33:04 EDT 2003
I would like to use a snort sensor to catch the messenger SPAM coming in off
the Internet. I have searched & probably missed this signature.
If one exists, could someone direct me to it? If not, could someone forward
a PCAP for it? I would be glad to post a rule back.
If not, I have my attempts which catch messenger messages, but w/o a PCAP, I
am not sure whether it is going to work. I am going to be travelling to a
site which has this problem, and would like to have the sigs in my snort
laptop in advance.
My go at this from using different NET SEND (from my local.rules):
alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch";
content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;)
alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast SPAM
watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;)
Protect your PC - get McAfee.com VirusScan Online
More information about the Snort-sigs