[Snort-sigs] MESSNGR SPAM Sig
plyons at ...12...
Thu May 8 08:05:02 EDT 2003
Thanks - I will put this rule in the rule base for my visit to the
customer's site. The short story is: he has a good set of firewall rules
already in place, I can find no open MS ports. Scanning, etc., yields none.
So I am also concerned about a hacked host. By setting up & leaving snort
running, I'd like to be able to catch the SPAM source. So, I'd like to have
a good rule for this. There are legal concerns onsite as well - i.e., "try
viagra", "visit Suzie's house of web cams" showing up on different user's
desktops. Maybe someone will get fed up & file something. I suppose it's
possible. We are shutting down ms messenger service, but that is really
treating the symptom.
I will report back on a successful rule. And will try to provide a pcap if
I can from tcpdump.
>Try this rule out... it looks for a SMB multi-block message.
>alert tcp any any -> any 139 (msg:"SMB Message sent";
>flow:to_server,established; content:"SMB|d5|"; offset:4; depth:4;)
>On Tue, May 06, 2003 at 03:32:11PM -0500, Phil Lyons wrote:
> > Greetings,
> > I would like to use a snort sensor to catch the messenger SPAM coming in
> > off the Internet. I have searched & probably missed this signature.
> > If one exists, could someone direct me to it? If not, could someone
> > forward a PCAP for it? I would be glad to post a rule back.
The new MSN 8: advanced junk mail protection and 2 months FREE*
More information about the Snort-sigs