[Snort-sigs] MESSNGR SPAM Sig

Phil Lyons plyons at ...12...
Tue May 6 15:13:03 EDT 2003


Thank you very Derek.  I will add this to my local.rules before going 
onsite.  Have you been able to get a packet capture from something like 
tcpdump?  I am really curious as to what these packets look like.

Best Regards,

Phil Lyons

>
>Sorry that's alert upd not alert tcp
>
>Derek
>
>-----Original Message-----
>From: O'Flynn, Derek [mailto:DOFlyn at ...466...]
>Sent: Tuesday, May 06, 2003 3:59 PM
>To: 'Phil Lyons'; snort-sigs at lists.sourceforge.net
>Subject: RE: [Snort-sigs] MESSNGR SPAM Sig
>
>We were getting them quite frequently.  I was able to locate UDP port 135 
>as
>the culprit. I ran a sniffer trace all day on UDP port 135 before putting 
>up
>my firewall, and only picked up the messages.  They could use the other
>Netbios ports as well, but haven't had much luck catching them on those
>ports.
>alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";)
>Derek

----->cut

>Greetings,
>I would like to use a snort sensor to catch the messenger SPAM coming in 
>off
>
>the Internet.  I have searched & probably missed this signature.
>If one exists, could someone direct me to it?  If not, could someone 
>forward
>
>a PCAP for it?  I would be glad to post a rule back.
>If not, I have my attempts which catch messenger messages, but w/o a PCAP, 
>I
>

----->cut

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail





More information about the Snort-sigs mailing list