Re: Rule opinions

[James Nonya <slave_tothe_box () yahoo com>]

--- Christian Kreibich <christian () whoop org> wrote:
> Hi,
>
> On Tue, 2003-06-24 at 14:05, James Nonya wrote:
> > So ok...I have udp port 135 block anyways, but I
> > wanted to see if this would fly...so far this
> hasn't
> > seemed to work:
> >
> > alert udp $EXTERNAL_NET any -> $HOME_NET 135
> > (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A
> 00 FF
> > D0 11 A9 B2 00 C0 4F B6 E6 FC|";)
>
> I have just looked at some of my automatically
> generated signatures
> (using Honeycomb[1] and honeyd) for UDP port 135 and
> this looks correct.
> I do see some signatures that do not contain the
> last byte (0xFC), but
> otherwise they match perfectly. It should work.
>
> [1]
> http://www.cl.cam.ac.uk/~cpk25/honeycomb/index.html
>
> Regards,
> Christian.
> -- 

Hrmm...I'll remove the FC, but I captured some popups
last night and snort didn't fire off with that rule. 
More reading I think ;)

James


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users