[Snort-sigs] Slapper signature ??

Ashley Thomas athomas at ...681...
Wed Jan 8 09:44:02 EST 2003


Yeah, even i think that 0000 is incorrect.

Old ? I still see them on my network.. and the snort signature was not 
alerting..that's why i was wondering..
Thanks.

Jukka Juslin wrote:

>On Tue, 7 Jan 2003, Ashley Thomas wrote:
>
>->Hi all,
>->
>->Snort signature for detecting slapper worm's communication messages is -
>->
>->alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper
>->worm admin traffic";
>->content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10;
>->classtype:trojan-activity;
>->reference:url,www.cert.org/advisories/CA-2002-27.html;
>->reference:url,isc.incidents.org/analysis.html?id=167; sid:1889; rev:3;)
>->
>->Should we be matching for content: "|0000 4500 0045 0000 4000|";
>->or
>->content: "|4500 0045 0000 4000|";
>->
>->I could not understand why the 0000 is there at the starting.
>
>I launched a test slapper attack and I was able detect it fine with
>content: "|4500 0045 0000 4000|". Therefore I think the 0000 is not
>needed.
>
>By the way, why are you so concerned with such an old attack? I think
>Microsoft SQL servers etc are much more targeted now (according to
>incidents.org). I am a bit concerned that I don't see much more new snort
>filters coming up for new vulnerabilities?
>
>Maybe I just have to write the filters I need by myself to accomplish what
>I want.
>
>Jukka Juslin
>M.Sc. (CS)
>European Organization for Nuclear Research
>
>  
>


-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.






More information about the Snort-sigs mailing list