[Snort-sigs] MESSNGR SPAM Sig

Phil Lyons plyons at ...12...
Thu May 8 08:05:02 EDT 2003


Thanks - I will put this rule in the rule base for my visit to the 
customer's site.  The short story is: he has a good set of firewall rules 
already in place, I can find no open MS ports.  Scanning, etc., yields none. 
  So I am also concerned about a hacked host.  By setting up & leaving snort 
running, I'd like to be able to catch the SPAM source.  So, I'd like to have 
a good rule for this.  There are legal concerns onsite as well - i.e., "try 
viagra", "visit Suzie's house of web cams" showing up on different user's 
desktops.  Maybe someone will get fed up & file something.  I suppose it's 
possible.  We are shutting down ms messenger service, but that is really 
treating the symptom.

I will report back on a successful rule.  And will try to provide a pcap if 
I can from tcpdump.

Phil Lyons


>
>Try this rule out...  it looks for a SMB multi-block message.
>
>alert tcp any any -> any 139 (msg:"SMB Message sent"; 
>flow:to_server,established; content:"SMB|d5|"; offset:4; depth:4;)
>
>-brian
>
>On Tue, May 06, 2003 at 03:32:11PM -0500, Phil Lyons wrote:
> > Greetings,
> >
> > I would like to use a snort sensor to catch the messenger SPAM coming in
> > off the Internet.  I have searched & probably missed this signature.
> >
> > If one exists, could someone direct me to it?  If not, could someone
> > forward a PCAP for it?  I would be glad to post a rule back.
> >

----->cut

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail





More information about the Snort-sigs mailing list