[Snort-sigs] MESSNGR SPAM Sig
plyons at ...12...
Tue May 6 15:13:03 EDT 2003
Thank you very Derek. I will add this to my local.rules before going
onsite. Have you been able to get a packet capture from something like
tcpdump? I am really curious as to what these packets look like.
>Sorry that's alert upd not alert tcp
>From: O'Flynn, Derek [mailto:DOFlyn at ...466...]
>Sent: Tuesday, May 06, 2003 3:59 PM
>To: 'Phil Lyons'; snort-sigs at lists.sourceforge.net
>Subject: RE: [Snort-sigs] MESSNGR SPAM Sig
>We were getting them quite frequently. I was able to locate UDP port 135
>the culprit. I ran a sniffer trace all day on UDP port 135 before putting
>my firewall, and only picked up the messages. They could use the other
>Netbios ports as well, but haven't had much luck catching them on those
>alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";)
>I would like to use a snort sensor to catch the messenger SPAM coming in
>the Internet. I have searched & probably missed this signature.
>If one exists, could someone direct me to it? If not, could someone
>a PCAP for it? I would be glad to post a rule back.
>If not, I have my attempts which catch messenger messages, but w/o a PCAP,
Tired of spam? Get advanced junk mail protection with MSN 8.
More information about the Snort-sigs