[Snort-sigs] tftp msblast.exe rule
Adam.Kaufman at ...1773...
Fri Aug 15 13:00:02 EDT 2003
We've found this rule helpful in identifying compromised hosts:
alert udp any any -> any 69 (msg:"TFTP GET msblast.exe"; content: "|0001|"; offset:0; depth:2; content:"msblast.exe"; offset:2; nocase; classtype:unknown; )
Listens on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send msblast.exe to that computer and tell it to execute the worm.
adam.kaufman at ...1774...
Information Security Office
State of Iowa
More information about the Snort-sigs