[Snort-sigs] SQLSLAMMER signature

Michael.Advani at ...1221... Michael.Advani at ...1221...
Sun Jan 26 19:44:03 EST 2003


I'm pretty new in this snort thingy and just wondering how do you come up
with the 'content' part ("dllhel32hkernQhounthickChGetTf") ? 

Cheers,
MA

-----Original Message-----
From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl at ...361...]
Sent: Sunday, January 26, 2003 1:33 AM
To: Dirk Mueller; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] SQLSLAMMER signature



and if you're looking for people attempting it against you, switch home
and external nets.

-----Original Message-----
From: Dirk Mueller [mailto:dmuell at ...433...] 
Sent: Saturday, January 25, 2003 8:45 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SQLSLAMMER signature


Hi, 

here's a signature for the SQL slammer worm that is spreading quickly:

alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER";
content: 
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)


-- 
Dirk (received 308 mails today)


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-----------------------------------------------------------------------------
Email Address Change Notice:

   Please note that my email address has changed to "Michael.Advani at ...1219...".

-----------------------------------------------------------------------------
The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com
-----------------------------------------------------------------------------





More information about the Snort-sigs mailing list