[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] snort not detect messenger spam ? (snort240b18+snortrules24)
From:       Erik Fichtner <emf () obfuscation ! org>
Date:       2005-08-16 16:20:03
Message-ID: 43021233.5040509 () obfuscation ! org
[Download RAW message or body]

rmkml wrote:
> > it is easy enough to create a rule to detect this.
> 
> 
> send "easy" rule to the list ?

This piece of junk has been floating around in my rules file for
a few years.   used to work, but there's no point in alerting
on it from an IDS.  Perhaps if you're inline and can block the
packets there's some value, but not much.   Seems like it would
be a better course of action to patch this extremely old vulnerability
and move on to bigger targets.

anyway...


# ... not right now... it's often spoofed anyway.
#alert udp $EXTERNAL_NET any -> $HOME_NET 1026:1027 (msg:"Spoofed source UDP \
Microsoft RPC Pop-up spam exploit"; \ #       content: "|1000 0000 0000 0000 0000 \
0000 0000 0000 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 4fb6 e6fc|"; \ #       \
content: "|3133 3132 3030 3032 3230 3130 0000 0000 0100|"; \ #       classtype: \
misc-attack; sid:90002; rev:1;)



-- 
Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell


["signature.asc" (application/pgp-signature)]
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]