Hi All!
Sorry for my mistake - I meant "important", when wrote "impotent". I
hurried up :-)).
I have written some TRONS rules in the assumption, that if someone will
trigger a set of these signatures, it will be NetMeeting usage. Here are
these rules:
alert tcp any any -> any 389 (flags: S; msg: "NetMeeting ILS connection
attempt";)
alert tcp any any -> any 522 (flags: S; msg: "NetMeeting ULS connection
attempt";)
alert tcp any any -> any 1503 (flags: S; msg: "NetMeeting T.120 connection
attempt";)
alert tcp any any -> any 1720 (flags: S; msg: "NetMeeting H.323 call setup
attempt";)
alert tcp any any -> any 1731 (flags: S; msg: "NetMeeting Audio call setup
attempt";)
If someone thinks differently, please, correct me.
Thanks.
---
Best regards, Sergey V. Soldatov.
"Sergey V Soldatov"
<[EMAIL PROTECTED]> To: [EMAIL PROTECTED]
Sent by: cc:
[EMAIL PROTECTED] Subject: [ISSForum] Detecting NetMeeting
traffic by RS NS7.0
16.03.2004 16:16
Good day.
It is very impotent for me to detect NetMeeting traffic in my LAN.
How can I do this by RealSecure Network Sensor? I haven't found any NS's
standard signatures and on Snort.org (to create TRONS-signature) also
nothing interesting.
Thanks a lot.
---
Best regards, Sergey V. Soldatov.
tel/fax +7 095 745 89 50 (2663)
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303
Barfield Road, Atlanta, Georgia, USA 30328.
