[Snort-users] Rule opinions

James Nonya slave_tothe_box at ...131...
Tue Jun 24 09:17:21 EDT 2003


--- Christian Kreibich <christian at ...9125...> wrote:
> Hi,
> 
> On Tue, 2003-06-24 at 14:05, James Nonya wrote:
> > So ok...I have udp port 135 block anyways, but I
> > wanted to see if this would fly...so far this
> hasn't
> > seemed to work:
> > 
> > alert udp $EXTERNAL_NET any -> $HOME_NET 135
> > (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A
> 00 FF
> > D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
> 
> I have just looked at some of my automatically
> generated signatures
> (using Honeycomb[1] and honeyd) for UDP port 135 and
> this looks correct.
> I do see some signatures that do not contain the
> last byte (0xFC), but
> otherwise they match perfectly. It should work.
> 
> [1]
> http://www.cl.cam.ac.uk/~cpk25/honeycomb/index.html
> 
> Regards,
> Christian.
> -- 
> 

Hrmm...I'll remove the FC, but I captured some popups
last night and snort didn't fire off with that rule. 
More reading I think ;)

James


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




More information about the Snort-users mailing list