Re: Rule opinions

[Gary Flynn <flynngn () jmu edu>]

Kreimendahl, Chad J wrote:
> Maybe a better name for it would be "NETBIOS net send"... that's the
> command they use to send you spam to your windows box.

Actually, if its going to port 135, its not netbios. Its an RPC
service. To my knowledge, that is the way the bulk messenger
spams are being sent nowadays even though they can also be sent
via netbios to 139.

Also, I just saw a post indicating that the spammers are getting
around port 135 blocks by directly addressing the messenger
service port. Port 135 is a port mapper. People contact it to
find out where the service they are interested in using is
listening. It works like the unix port mapper. If the Messenger
service always listens on the same port and the spammers know
where it is, there is no need for them to contact the port mapper
first. The warning I saw said they were spamming port 1026.

In my tests, a seemingly random port opened up when a message
was sent but I didn't test too much. If the Messenger Service
does indeed listen on 1026 most of the time, we're going to have
more problems shortly.

Here is some more background info:
http://www.jmu.edu/computing/security/info/winmsg.shtml

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users