[Snort-users] Rule opinions

Christian Kreibich christian at ...9125...
Tue Jun 24 09:07:18 EDT 2003


On Tue, 2003-06-24 at 14:05, James Nonya wrote:
> So ok...I have udp port 135 block anyways, but I
> wanted to see if this would fly...so far this hasn't
> seemed to work:
> alert udp $EXTERNAL_NET any -> $HOME_NET 135
> (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A 00 FF
> D0 11 A9 B2 00 C0 4F B6 E6 FC|";)

I have just looked at some of my automatically generated signatures
(using Honeycomb[1] and honeyd) for UDP port 135 and this looks correct.
I do see some signatures that do not contain the last byte (0xFC), but
otherwise they match perfectly. It should work.

[1] http://www.cl.cam.ac.uk/~cpk25/honeycomb/index.html


More information about the Snort-users mailing list