[Snort-sigs] MESSNGR SPAM Sig

O'Flynn, Derek DOFlyn at ...466...
Tue May 6 14:00:04 EDT 2003

We were getting them quite frequently.  I was able to locate UDP port 135 as
the culprit. I ran a sniffer trace all day on UDP port 135 before putting up
my firewall, and only picked up the messages.  They could use the other
Netbios ports as well, but haven't had much luck catching them on those

alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";)


-----Original Message-----
From: Phil Lyons [mailto:plyons at ...12...] 
Sent: Tuesday, May 06, 2003 3:32 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] MESSNGR SPAM Sig


I would like to use a snort sensor to catch the messenger SPAM coming in off

the Internet.  I have searched & probably missed this signature.

If one exists, could someone direct me to it?  If not, could someone forward

a PCAP for it?  I would be glad to post a rule back.

If not, I have my attempts which catch messenger messages, but w/o a PCAP, I

am not sure whether it is going to work.  I am going to be travelling to a 
site which has this problem, and would like to have the sigs in my snort 
laptop in advance.

My go at this from using different NET SEND (from my local.rules):

alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch"; 
content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;)

alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast SPAM

watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;)

Best Regards,
Phil Lyons

Protect your PC - get McAfee.com VirusScan Online  

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030506/c11b5066/attachment.html>

More information about the Snort-sigs mailing list