[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bleeding-sigs
Subject:    [Bleeding-sigs] MSN Sigs
From:       Matt Jonkman <matt () infotex ! com>
Date:       2005-08-18 13:46:10
Message-ID: 43049122.7090000 () infotex ! com
[Download RAW message or body]

These were submitted yesterday. i just disabled 2191, it's falsing badly.


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE
POLICY MSN successful logon"; flow:established,to_server; content
:"|56 45 52 20|"; depth:55; classtype:policy-violation; sid:2002191; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY
MSN status change"; flow:established,to_server; content:"|4
3 48 47 20|"; depth:55; classtype:policy-violation; sid:2002192; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY
MSN Chat Message"; content:"|58 2D 4D 4D 53 2D 494D 2D 46 6
F 72 6D 61 74 3A|"; depth:153; classtype:policy-violation; sid:2002193;
rev:1;)

Bob Grabowsky suggested making it dest 1863 for the port, but I think
that'll limit it too much. I'm going to leave it off for now since we
have other sigs that as far as I know are accurate.
-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic