[Snort-sigs] snort not detect messenger spam ? (snort240b18+snortrules24)

Erik Fichtner emf at ...3056...
Tue Aug 16 09:21:05 EDT 2005

rmkml wrote:
>> it is easy enough to create a rule to detect this.
> send "easy" rule to the list ?

This piece of junk has been floating around in my rules file for
a few years.   used to work, but there's no point in alerting
on it from an IDS.  Perhaps if you're inline and can block the
packets there's some value, but not much.   Seems like it would
be a better course of action to patch this extremely old vulnerability
and move on to bigger targets.


# ... not right now... it's often spoofed anyway.
#alert udp $EXTERNAL_NET any -> $HOME_NET 1026:1027 (msg:"Spoofed source UDP Microsoft RPC Pop-up spam exploit"; \
#       content: "|1000 0000 0000 0000 0000 0000 0000 0000 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 4fb6 e6fc|"; \
#       content: "|3133 3132 3030 3032 3230 3130 0000 0000 0100|"; \
#       classtype: misc-attack; sid:90002; rev:1;)

Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050816/676d5f0e/attachment.sig>

More information about the Snort-sigs mailing list