[Snort-sigs] snort not detect messenger spam ? (snort240b18+snortrules24)

Jason security at ...704...
Tue Aug 16 09:03:19 EDT 2005


http://www.broadbandreports.com/forum/remark,13970880~start=-2~mode=flat

I see no mention of a worm being the cause. If you are looking to detect 
the worm then more information is required. If you want to see the 
messenger traffic inside HOME_NET simply change the EXTERNAL_NET var to 
any or the rule to use any instead of EXTERNAL_NET.


http://www.snort.org/docs/snort_htmanuals/htmanual_233/node16.html

will show you the way.

rmkml wrote:
> ok,
> but messenger trafic is WORM,
> you don't receive this trafic on internet cnx ?
> Regards
> Rmkml
> 
> 
> On Tue, 16 Aug 2005, Jason wrote:
> 
>> Date: Tue, 16 Aug 2005 11:49:21 -0400
>> From: Jason <security at ...704...>
>> To: rmkml <rmkml at ...324...>
>> Cc: Snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] snort not detect messenger spam ?
>>     (snort240b18+snortrules24)
>>
>>
>>
>> rmkml wrote:
>>
>>>> it is easy enough to create a rule to detect this.
>>>
>>>
>>>
>>> send "easy" rule to the list ?
>>
>>
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 135:1030 (msg:"Policy 
>> Messenger Traffic - Fix your network"; content:"|04 00|"; depth:2; 
>> sid:1000000; rev:1; )
>>
>> A bill is also on the way. ;)
>>
>>> Regards
>>> Rmkml
>>>
>>
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list