[Snort-sigs] MESSNGR SPAM Sig

O'Flynn, Derek DOFlyn at ...466...
Tue May 6 14:11:04 EDT 2003


Sorry that's alert upd not alert tcp
 
Derek
 
-----Original Message-----
From: O'Flynn, Derek [mailto:DOFlyn at ...466...] 
Sent: Tuesday, May 06, 2003 3:59 PM
To: 'Phil Lyons'; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] MESSNGR SPAM Sig
 
We were getting them quite frequently.  I was able to locate UDP port 135 as
the culprit. I ran a sniffer trace all day on UDP port 135 before putting up
my firewall, and only picked up the messages.  They could use the other
Netbios ports as well, but haven't had much luck catching them on those
ports.
alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";) 
Derek 
-----Original Message----- 
From: Phil Lyons [mailto:plyons at ...12... <mailto:plyons at ...12...> ] 
Sent: Tuesday, May 06, 2003 3:32 PM 
To: snort-sigs at lists.sourceforge.net 
Subject: [Snort-sigs] MESSNGR SPAM Sig 
Greetings, 
I would like to use a snort sensor to catch the messenger SPAM coming in off

the Internet.  I have searched & probably missed this signature. 
If one exists, could someone direct me to it?  If not, could someone forward

a PCAP for it?  I would be glad to post a rule back. 
If not, I have my attempts which catch messenger messages, but w/o a PCAP, I

am not sure whether it is going to work.  I am going to be travelling to a 
site which has this problem, and would like to have the sigs in my snort 
laptop in advance. 
My go at this from using different NET SEND (from my local.rules): 
alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch"; 
content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;) 
alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast SPAM

watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;) 
 
Best Regards, 
Phil Lyons 
_________________________________________________________________ 
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
<http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963>  
 
------------------------------------------------------- 
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara 
The only event dedicated to issues related to Linux enterprise solutions 
www.enterpriselinuxforum.com 
_______________________________________________ 
Snort-sigs mailing list 
Snort-sigs at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<https://lists.sourceforge.net/lists/listinfo/snort-sigs>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030506/18bb962c/attachment.html>


More information about the Snort-sigs mailing list