[Snort-sigs] tftp msblast.exe rule

Kaufman, Adam Adam.Kaufman at ...1773...
Fri Aug 15 13:00:02 EDT 2003

We've found this rule helpful in identifying compromised hosts:

alert udp any any -> any 69 (msg:"TFTP GET msblast.exe"; content: "|0001|"; offset:0; depth:2; content:"msblast.exe"; offset:2; nocase; classtype:unknown; )

Listens on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send msblast.exe to that computer and tell it to execute the worm.

Adam Kaufman 
adam.kaufman at ...1774...
Information Security Office
State of Iowa

More information about the Snort-sigs mailing list