Windows Message SPAM - Snort Rule

Asadoorian, Paul D Paul_Asadoorian at brown.edu
Fri Oct 11 14:24:14 GMT 2002


All:

I've done some quick research and come up with a snort rule to catch
incoming windows messaging (net send):

alert tcp any any -> $HOME_NET 139 (msg:"Windows Messaging - Net Send";
content:"PENCACACACACAAD"; tag: session, 10, packets;)

I captured packets from a windows XP machine to a 2000 server and
observed that a net send message is sent across TCP port 139 and always
contains the above string.  I log the next 10 packets to capture the
message that is being sent.  I've done limited testing so please let me
know if you find problems.

Thanks,

Paul

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com
 



More information about the unisog mailing list