[Snort-sigs] MESSNGR SPAM Sig

Brian bmc at ...95...
Wed May 7 13:55:03 EDT 2003


On Wed, May 07, 2003 at 03:58:39PM +0200, unspawn wrote:
> Doesn't this rule makes Snort behave like some Portsentry wrt the fact 
> that it won't do packet scrubbing, just trip on the port?
> I'd think you need to match some content string.
> 
> I've this rule in the past for popups to UDP/135:
> alert udp $EXTERNAL_NET any -> $HOME_NET 135 (rpc: 100000,*,4; msg:"RPC \
> ADV - Webpopup (UDP)"; content: "|57 45 42 50 4f 50 55 50|"; \
> reference:<none insert URI>; sid:9000000;  classtype:misc-activity; \
> rev:1;)

Thats not going to work as you expect it.  The rpc keyword is for Sun
RPC.  Basicly, you are looking for a portmap dump via the DCE/RPC.
DCE/RPC is totally different in implementation than Sun RPC. 

-brian




More information about the Snort-sigs mailing list