[Snort-sigs] MESSNGR SPAM Sig
bmc at ...95...
Wed May 7 13:55:03 EDT 2003
On Wed, May 07, 2003 at 03:58:39PM +0200, unspawn wrote:
> Doesn't this rule makes Snort behave like some Portsentry wrt the fact
> that it won't do packet scrubbing, just trip on the port?
> I'd think you need to match some content string.
> I've this rule in the past for popups to UDP/135:
> alert udp $EXTERNAL_NET any -> $HOME_NET 135 (rpc: 100000,*,4; msg:"RPC \
> ADV - Webpopup (UDP)"; content: "|57 45 42 50 4f 50 55 50|"; \
> reference:<none insert URI>; sid:9000000; classtype:misc-activity; \
Thats not going to work as you expect it. The rpc keyword is for Sun
RPC. Basicly, you are looking for a portmap dump via the DCE/RPC.
DCE/RPC is totally different in implementation than Sun RPC.
More information about the Snort-sigs