[Snort-sigs] SQL Slammer Worm Signature

Michael.Advani at ...1221... Michael.Advani at ...1221...
Mon Feb 10 18:09:05 EST 2003


Thanks for your detailed reply. I am now clear from your 'ngrep' output that
different analysts tend to extract different part of the worm for building
signature. I am just wondering the first one with content equals to "04 01
01 01 01 01 01 01", will that be too general to judge from this pattern that
it is the SQL slammer worm ? Does that mean no other worms will adopt this
pattern ? In fact, I would like to know which part of the worm should I
extract for building snort signature ? 

Thanks & regards,
Michael
 
-----Original Message-----
From: John Sage [mailto:jsage at ...425...]
Sent: Tuesday, February 11, 2003 3:02 AM
To: Advani, Michael
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] SQL Slammer Worm Signature


Michael:

On Mon, Feb 10, 2003 at 05:19:38PM +0800, Michael.Advani at ...1221... wrote:
> Someone formerly posted the rule for capturing SQL slammer as:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
> sid:9998; rev:1;)
> 
> which differs from the one found in snort.org (snortrules-current.tar.gz):
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm
propagation
> attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
> content:"sock"; content:"send"; reference:bugtraq,5310;
> classtype:misc-attack; reference:bugtraq,5311;
> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
> 
> Others suggest this rule:
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity"; content:
> "dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
> 
> How come there are so many versions ? Though the header part is identical,
> the 'meat' is totally different !

They're simply three different ways of looking at the same thing:

> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
> Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
> sid:9998; rev:1;)

A hex search of packet content:

[toot at ...1275... /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x0401010101010101" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: 0x0401010101010101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
 
............................................................................
.........
 
...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32
hkernQhou
 
nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B.
...=U..Qt
 
.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a...E... at ...253...
........)
  .......E.j..E.P1.Qf..x.Q.E.P.E.P....

#
<snip>
exit



> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm
propagation
> attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
> content:"sock"; content:"send"; reference:bugtraq,5310;
> classtype:misc-attack; reference:bugtraq,5311;
> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Another hex search:

[toot at ...1275... /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x81F10301049B81F101" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: 0x81F10301049B81F101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
 
............................................................................
.........
 
...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32
hkernQhou
 
nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B.
...=U..Qt
 
.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<a...E... at ...253...
........)
  .......E.j..E.P1.Qf..x.Q.E.P.E.P....

#
<snip>
exit



> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity"; content:
> "dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

Note that this queries for ASCII content, not hex..

[root at ...1275... /storage/snort/old_snorts/013003]# ngrep -ext -I
snort-0130\@1918.log "dllhel32hkernQhounthickChGetTf" "dst port 1434"
input: snort-0130 at ...1276...
filter: ip and ( dst port 1434 )
match: dllhel32hkernQhounthickChGetTf
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
  04 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 01 01 01 01 01 01 01    01 01 01 01 01 01 01 01    ................
  01 dc c9 b0 42 eb 0e 01    01 01 01 01 01 01 70 ae    ....B.........p.
  42 01 70 ae 42 90 90 90    90 90 90 90 90 68 dc c9    B.p.B........h..
  b0 42 b8 01 01 01 01 31    c9 b1 18 50 e2 fd 35 01    .B.....1...P..5.
  01 01 05 50 89 e5 51 68    2e 64 6c 6c 68 65 6c 33    ...P..Qh.dllhel3
  32 68 6b 65 72 6e 51 68    6f 75 6e 74 68 69 63 6b    2hkernQhounthick
  43 68 47 65 74 54 66 b9    6c 6c 51 68 33 32 2e 64    ChGetTf.llQh32.d
  68 77 73 32 5f 66 b9 65    74 51 68 73 6f 63 6b 66    hws2_f.etQhsockf
  b9 74 6f 51 68 73 65 6e    64 be 18 10 ae 42 8d 45    .toQhsend....B.E
  d4 50 ff 16 50 8d 45 e0    50 8d 45 f0 50 ff 16 50    .P..P.E.P.E.P..P
  be 10 10 ae 42 8b 1e 8b    03 3d 55 8b ec 51 74 05    ....B....=U..Qt.
  be 1c 10 ae 42 ff 16 ff    d0 31 c9 51 51 50 81 f1    ....B....1.QQP..
  03 01 04 9b 81 f1 01 01    01 01 51 8d 45 cc 50 8b    ..........Q.E.P.
  45 c0 50 ff 16 6a 11 6a    02 6a 02 ff d0 50 8d 45    E.P..j.j.j...P.E
  c4 50 8b 45 c0 50 ff 16    89 c6 09 db 81 f3 3c 61    .P.E.P........<a
  d9 ff 8b 45 b4 8d 0c 40    8d 14 88 c1 e2 04 01 c2    ...E... at ...1016...
  c1 e2 08 29 c2 8d 04 90    01 d8 89 45 b4 6a 10 8d    ...).......E.j..
  45 b0 50 31 c9 51 66 81    f1 78 01 51 8d 45 03 50    E.P1.Qf..x.Q.E.P
  8b 45 ac 50 ff d6 eb ca                               .E.P....        
#
<snip>


- John
-- 
"You are in a little maze of twisty passages, all different."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-----------------------------------------------------------------------------
The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com
-----------------------------------------------------------------------------





More information about the Snort-sigs mailing list