[Snort-sigs] MESSNGR SPAM Sig

Phil Lyons plyons at ...12...
Tue May 6 15:13:03 EDT 2003

Thank you very Derek.  I will add this to my local.rules before going 
onsite.  Have you been able to get a packet capture from something like 
tcpdump?  I am really curious as to what these packets look like.

Best Regards,

Phil Lyons

>Sorry that's alert upd not alert tcp
>-----Original Message-----
>From: O'Flynn, Derek [mailto:DOFlyn at ...466...]
>Sent: Tuesday, May 06, 2003 3:59 PM
>To: 'Phil Lyons'; snort-sigs at lists.sourceforge.net
>Subject: RE: [Snort-sigs] MESSNGR SPAM Sig
>We were getting them quite frequently.  I was able to locate UDP port 135 
>the culprit. I ran a sniffer trace all day on UDP port 135 before putting 
>my firewall, and only picked up the messages.  They could use the other
>Netbios ports as well, but haven't had much luck catching them on those
>alert tcp any any -> $HOME_NET 135 (msg: "netBIOS SMB Message SPAM watch";)


>I would like to use a snort sensor to catch the messenger SPAM coming in 
>the Internet.  I have searched & probably missed this signature.
>If one exists, could someone direct me to it?  If not, could someone 
>a PCAP for it?  I would be glad to post a rule back.
>If not, I have my attempts which catch messenger messages, but w/o a PCAP, 


Tired of spam? Get advanced junk mail protection with MSN 8. 

More information about the Snort-sigs mailing list