[Snort-sigs] MESSNGR SPAM Sig

Gary Flynn flynngn at ...860...
Wed May 7 15:05:10 EDT 2003


Brian wrote:
> On Wed, May 07, 2003 at 03:58:39PM +0200, unspawn wrote:
> 
>>Doesn't this rule makes Snort behave like some Portsentry wrt the fact 
>>that it won't do packet scrubbing, just trip on the port?
>>I'd think you need to match some content string.
>>
>>I've this rule in the past for popups to UDP/135:
>>alert udp $EXTERNAL_NET any -> $HOME_NET 135 (rpc: 100000,*,4; msg:"RPC \
>>ADV - Webpopup (UDP)"; content: "|57 45 42 50 4f 50 55 50|"; \
>>reference:<none insert URI>; sid:9000000;  classtype:misc-activity; \
>>rev:1;)
> 
> 
> Thats not going to work as you expect it.  The rpc keyword is for Sun
> RPC.  Basicly, you are looking for a portmap dump via the DCE/RPC.
> DCE/RPC is totally different in implementation than Sun RPC. 

Brian's right.

There are some links to MS-RPC programming information and tools
at the bottom of the web site below. If you can't capture the SPAM
packets themselves, you can probably use the tools to "ping" the
messenger service and get some information from that.

http://www.jmu.edu/computing/security/info/winmsg.shtml

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe





More information about the Snort-sigs mailing list