RE: Rule opinions

[James Nonya <slave_tothe_box () yahoo com>]

> -----Original Message-----
> From: James Nonya [mailto:slave_tothe_box () yahoo com]
>
> Sent: Tuesday, June 24, 2003 8:06 AM
> To: snort-users () sourceforge net
> Subject: [Snort-users] Rule opinions
>
>
> So ok...I have udp port 135 block anyways, but I
> wanted to see if this would fly...so far this hasn't
> seemed to work:
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 135
> (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A 00
> FF
> D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
>
> The content is from:
http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm
> Any ideas why this won't fly?  The firewall using
> iptables and snort are on the same box.  Thanks!
>
> James

So ok...I've just learned something.  Spaces in my hex
code are evil.  Using ftester and a single rule here's
what the rule should look like:
alert udp $EXTERNAL_NET any -> $HOME_NET 135
(msg:"Popup Spam Attempt";
content:"|F8917B5A00FFD011A9B200C04FB6E6|";)

I left off the FC since I heard tale that it *may* not
be included in all popups.  Anyways, this one is ready
for production.

James


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users