Windows Message SPAM - Snort Rule

Asadoorian, Paul D Paul_Asadoorian at
Fri Oct 11 14:24:14 GMT 2002


I've done some quick research and come up with a snort rule to catch
incoming windows messaging (net send):

alert tcp any any -> $HOME_NET 139 (msg:"Windows Messaging - Net Send";
content:"PENCACACACACAAD"; tag: session, 10, packets;)

I captured packets from a windows XP machine to a 2000 server and
observed that a net send message is sent across TCP port 139 and always
contains the above string.  I log the next 10 packets to capture the
message that is being sent.  I've done limited testing so please let me
know if you find problems.



Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912

PGP Key:
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F

More information about the unisog mailing list