[Snort-users] Rule opinions
slave_tothe_box at ...131...
Wed Jun 25 11:57:16 EDT 2003
> -----Original Message-----
> From: James Nonya [mailto:slave_tothe_box at ...131...]
> Sent: Tuesday, June 24, 2003 8:06 AM
> To: snort-users at ...382...
> Subject: [Snort-users] Rule opinions
> So ok...I have udp port 135 block anyways, but I
> wanted to see if this would fly...so far this hasn't
> seemed to work:
> alert udp $EXTERNAL_NET any -> $HOME_NET 135
> (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A 00
> D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
> The content is from:
> Any ideas why this won't fly? The firewall using
> iptables and snort are on the same box. Thanks!
So ok...I've just learned something. Spaces in my hex
code are evil. Using ftester and a single rule here's
what the rule should look like:
alert udp $EXTERNAL_NET any -> $HOME_NET 135
(msg:"Popup Spam Attempt";
I left off the FC since I heard tale that it *may* not
be included in all popups. Anyways, this one is ready
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
More information about the Snort-users