Snort mailing list archives
RE: Rule opinions
From: James Nonya <slave_tothe_box () yahoo com>
Date: Wed, 25 Jun 2003 11:56:52 -0700 (PDT)
-----Original Message----- From: James Nonya [mailto:slave_tothe_box () yahoo com] Sent: Tuesday, June 24, 2003 8:06 AM To: snort-users () sourceforge net Subject: [Snort-users] Rule opinions So ok...I have udp port 135 block anyways, but I wanted to see if this would fly...so far this hasn't seemed to work: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"Popup Spam Attempt"; content:"|F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 E6 FC|";) The content is from:
http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm
Any ideas why this won't fly? The firewall using iptables and snort are on the same box. Thanks! James
So ok...I've just learned something. Spaces in my hex code are evil. Using ftester and a single rule here's what the rule should look like: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"Popup Spam Attempt"; content:"|F8917B5A00FFD011A9B200C04FB6E6|";) I left off the FC since I heard tale that it *may* not be included in all popups. Anyways, this one is ready for production. James __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule opinions James Nonya (Jun 24)
- RE: Rule opinions Mike Feetham (Jun 24)
- RE: Rule opinions Mike Feetham (Jun 24)
- Re: Rule opinions Christian Kreibich (Jun 24)
- Re: Rule opinions James Nonya (Jun 24)
- <Possible follow-ups>
- RE: Rule opinions Grime, Richard S (Jun 24)
- RE: Rule opinions Kreimendahl, Chad J (Jun 24)
- Re: Rule opinions Gary Flynn (Jun 24)
- RE: Rule opinions James Nonya (Jun 25)
- RE: Rule opinions Mike Feetham (Jun 24)