[Snort-sigs] Can someone please repost a sig for MS Blaster?

Parker, Ian Ian.Parker at ...1768...
Thu Aug 14 08:42:09 EDT 2003

An alternative that I have used to find infected systems on our site, is to
activate the port scanning feature.  Once this has been on for a while sort
descending by the "Total #" (in Acid) or "Last".

What I found is that all of the infected systems where showing up as "60
connections across 60 hosts".  The 60 could be replaced by any number
divisible by 20, or a number that was very close to a number devisable by 20
(i.e. 79, 61 etc). 

The infected systems have high counts on this scan type.


Ian Parker
Technical Specialist,
Technical Services
University Health Network

-----Original Message-----
From: Nigel Houghton [mailto:nigel at ...435...] 
Sent: August 13, 2003 6:40 PM
To: Eric Joe
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Can someone please repost a sig for MS Blaster?



Nigel Houghton       Security Engineer        Sourcefire Inc.
                Vulnerability Research Team

"Do you people practice being vague?"
Message dated: Aug 13

Around 1:48pm Eric Joe said:

EJ :I know it was already posted to the list, but I cant find the sig for
the EJ :MS Blaster worm, can someone repost or send a link please? EJ :Eric

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data
Reports, E-commerce, Portals, and Forums are available now. Download today
and enter to win an XBOX or Visual Studio .NET.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

This e-mail may contain confidential and/or privileged information
for the sole use of the intended recipient. Any review or distribution
by anyone other than the person for whom it was originally intended is
prohibited. If you have received this e-mail in error, please contact the
sender and
delete all copies. Opinions, conclusions or other information contained in
this e-mail may not be that of the organization.

More information about the Snort-sigs mailing list