[Snort-users] Rule opinions

Gary Flynn flynngn at ...6811...
Tue Jun 24 08:41:07 EDT 2003


Kreimendahl, Chad J wrote:
> Maybe a better name for it would be "NETBIOS net send"... that's the
> command they use to send you spam to your windows box.

Actually, if its going to port 135, its not netbios. Its an RPC
service. To my knowledge, that is the way the bulk messenger
spams are being sent nowadays even though they can also be sent
via netbios to 139.

Also, I just saw a post indicating that the spammers are getting
around port 135 blocks by directly addressing the messenger
service port. Port 135 is a port mapper. People contact it to
find out where the service they are interested in using is
listening. It works like the unix port mapper. If the Messenger
service always listens on the same port and the spammers know
where it is, there is no need for them to contact the port mapper
first. The warning I saw said they were spamming port 1026.

In my tests, a seemingly random port opened up when a message
was sent but I didn't test too much. If the Messenger Service
does indeed listen on 1026 most of the time, we're going to have
more problems shortly.

Here is some more background info:
http://www.jmu.edu/computing/security/info/winmsg.shtml

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe





More information about the Snort-users mailing list