[Snort-users] Rule opinions
slave_tothe_box at ...131...
Tue Jun 24 09:17:21 EDT 2003
--- Christian Kreibich <christian at ...9125...> wrote:
> On Tue, 2003-06-24 at 14:05, James Nonya wrote:
> > So ok...I have udp port 135 block anyways, but I
> > wanted to see if this would fly...so far this
> > seemed to work:
> > alert udp $EXTERNAL_NET any -> $HOME_NET 135
> > (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A
> 00 FF
> > D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
> I have just looked at some of my automatically
> generated signatures
> (using Honeycomb and honeyd) for UDP port 135 and
> this looks correct.
> I do see some signatures that do not contain the
> last byte (0xFC), but
> otherwise they match perfectly. It should work.
Hrmm...I'll remove the FC, but I captured some popups
last night and snort didn't fire off with that rule.
More reading I think ;)
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
More information about the Snort-users