[Snort-users] Rule opinions

James Nonya slave_tothe_box at ...131...
Wed Jun 25 11:57:16 EDT 2003


> -----Original Message-----
> From: James Nonya [mailto:slave_tothe_box at ...131...]
> 
> Sent: Tuesday, June 24, 2003 8:06 AM
> To: snort-users at ...382...
> Subject: [Snort-users] Rule opinions
> 
> 
> So ok...I have udp port 135 block anyways, but I
> wanted to see if this would fly...so far this hasn't
> seemed to work:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 135
> (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A 00
> FF
> D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
> 
> The content is from:
>
http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm
> 
> Any ideas why this won't fly?  The firewall using
> iptables and snort are on the same box.  Thanks!
> 
> James
> 

So ok...I've just learned something.  Spaces in my hex
code are evil.  Using ftester and a single rule here's
what the rule should look like:
alert udp $EXTERNAL_NET any -> $HOME_NET 135
(msg:"Popup Spam Attempt";
content:"|F8917B5A00FFD011A9B200C04FB6E6|";)

I left off the FC since I heard tale that it *may* not
be included in all popups.  Anyways, this one is ready
for production.

James


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




More information about the Snort-users mailing list