Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how would i.....signature wizard tcp ports 3127-3199

I am trying to create a signature using the signature wizard in 4.1

I need to see what sources inside my network are trying to open tcp ports 3127-3199.

This is the port range asociated with system infected with mydoom A,B, C(doomjuice)...state2 (remote access)

I can't get the sig wizard to take a range of destination ports in any of the Packet Signatures or Stream Signatures....

I can't find a sig to copy....

Can someone point me in the right direction or give some instruction in the use of the sig wiz to create this rule....thanks

gprice

3 REPLIES
New Member

Re: how would i.....signature wizard tcp ports 3127-3199

Am I way off center on this request?

gprice

Cisco Employee

Re: how would i.....signature wizard tcp ports 3127-3199

Signatures 9033 and 9233 were written to detect the MyDoom.C activity. These signature were built using the ATOMIC.TCP engine and cannot have a range attached to them.

If you want a port range the engine STRING.TCP is the one to use. This is the 'tcp stream' portion on the signature wizard. Once you get to the parameter ServicePort you can enter a range like 3127-3199 as a value.

New Member

Re: how would i.....signature wizard tcp ports 3127-3199

thanks will take that advice and work with the string engine..... gp

119
Views
0
Helpful
3
Replies