[Snort-sigs] wrong signature

Ashley Thomas athomas at ...681...
Mon Jan 13 12:23:09 EST 2003


Hi all,

I am trying to get some help regarding the slapper worm signature that 
snort has -

alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper 
worm admin traffic";
content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10; 
classtype:trojan-activity; 
reference:url,www.cert.org/advisories/CA-2002-27.html; 
reference:url,isc.incid
ents.org/analysis.html?id=167; sid:1889; rev:3;)

Is the signature trying to match | 4500 0045 0000 4000 | , which is the 
initial part of the ip header ?
    In that case, the initial 0000 is not needed, right ?
    Otherwise, it would be incorrect.

If I am missing something, please correct me.
I had sent a mail regarding this, but snort-rules still has the same 
signature.

Thanks a lot,
Ashley



-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.






More information about the Snort-sigs mailing list