Adding outbound rules to snort ruleset

["Jerry Shenk" <jshenk () decommunications com>]

Has there been any discussion about adding outbound NetBIOS rules to
snort?  Most of the rules in the "official" set of rules related to
traffic going from EXTERNAL_NET to HOME_NET.  There are quite a few
rules that related to connecting to IRC servers, responses to attacks,
etc.  It wouldn't need to be very complicated since I never want ANY
NetBIOS traffic going out AT ALL!  Here's a suggestion for a starting
point:
 
alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - udp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - tcp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection
outside LAN - tcp 139"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection
outside LAN - tcp 445"; classtype:bad-unknown;)
 
I suppose there's a bunch more that could be similar - SNMP, TFTP,
perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour"
but NetBIOS attacks are so common in these. 
 
This relates a bit to the comments by
<mailto:etienne.causse () pierre-fabre com> etienne.causse () pierre-fabre com
about the virus.rules file.