[Snort-sigs] MESSNGR SPAM Sig

Brian bmc at ...95...
Wed May 7 16:07:01 EDT 2003


Try this rule out...  it looks for a SMB multi-block message.  

alert tcp any any -> any 139 (msg:"SMB Message sent"; flow:to_server,established; content:"SMB|d5|"; offset:4; depth:4;)

-brian

On Tue, May 06, 2003 at 03:32:11PM -0500, Phil Lyons wrote:
> Greetings,
> 
> I would like to use a snort sensor to catch the messenger SPAM coming in 
> off the Internet.  I have searched & probably missed this signature.
> 
> If one exists, could someone direct me to it?  If not, could someone 
> forward a PCAP for it?  I would be glad to post a rule back.
> 
> If not, I have my attempts which catch messenger messages, but w/o a PCAP, 
> I am not sure whether it is going to work.  I am going to be travelling to 
> a site which has this problem, and would like to have the sigs in my snort 
> laptop in advance.
> 
> My go at this from using different NET SEND (from my local.rules):
> 
> alert tcp any any -> $HOME_NET 139 (msg: "netBIOS SMB Message SPAM watch"; 
> content:"|FF 53 4D 42|";depth:10;classtype:misc-attack;)
> 
> alert udp any any -> $HOME_NET 138 (msg: "netBIOS SMB Message Broadcast 
> SPAM watch";content:"|4D 45 53 53 4E 47 52|";classtype:misc-attack;)
> 
> 
> Best Regards,
> Phil Lyons
> 
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online  
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list