[Snort-sigs] tftp msblast.exe rule

Kaufman, Adam Adam.Kaufman at ...1773...
Fri Aug 15 13:00:02 EDT 2003


We've found this rule helpful in identifying compromised hosts:

alert udp any any -> any 69 (msg:"TFTP GET msblast.exe"; content: "|0001|"; offset:0; depth:2; content:"msblast.exe"; offset:2; nocase; classtype:unknown; )

Listens on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send msblast.exe to that computer and tell it to execute the worm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


--
Adam Kaufman 
adam.kaufman at ...1774...
Information Security Office
State of Iowa




More information about the Snort-sigs mailing list