[Snort-sigs] SQL Slammer Worm Signature

Michael.Advani at ...1221... Michael.Advani at ...1221...
Mon Feb 10 01:20:13 EST 2003

Someone formerly posted the rule for capturing SQL slammer as:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
sid:9998; rev:1;)

which differs from the one found in snort.org (snortrules-current.tar.gz):

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Others suggest this rule:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

How come there are so many versions ? Though the header part is identical,
the 'meat' is totally different !


Email Address Change Notice:

   Please note that my email address has changed to "Michael.Advani at ...1219...".

The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com

More information about the Snort-sigs mailing list