[Snort-sigs] MESSNGR SPAM Sig

Phil Lyons plyons at ...12...
Tue May 6 13:33:04 EDT 2003


I would like to use a snort sensor to catch the messenger SPAM coming in off 
the Internet.  I have searched & probably missed this signature.

If one exists, could someone direct me to it?  If not, could someone forward 
a PCAP for it?  I would be glad to post a rule back.

If not, I have my attempts which catch messenger messages, but w/o a PCAP, I 
am not sure whether it is going to work.  I am going to be travelling to a 
site which has this problem, and would like to have the sigs in my snort 
laptop in advance.

My go at this from using different NET SEND (from my local.rules):

alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch"; 
content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;)

alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast SPAM 
watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;)

Best Regards,
Phil Lyons

Protect your PC - get McAfee.com VirusScan Online  

More information about the Snort-sigs mailing list