[Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38 2003

Brian bmc at ...95...
Mon Feb 10 07:53:05 EST 2003


On Mon, Feb 10, 2003 at 05:12:16PM +0800, Michael.Advani at ...1221... wrote:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
> sid:9998; rev:1;)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
> attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
> content:"sock"; content:"send"; reference:bugtraq,5310;
> classtype:misc-attack; reference:bugtraq,5311;
> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity"; content:
> "dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)


> How come there are so many versions ? Though the header part is identical,
> the 'meat' is totally different !

Because one is an "official" rule, the others are not.  (sid:2003 is the
official rule, in case you didn't notice...)

-brian




More information about the Snort-sigs mailing list