[Snort-sigs] MS-SQL Slammer worm signature

Jukka Juslin jtjuslin at ...1151...
Mon Jan 27 00:35:04 EST 2003


About the current MS-SQL Slammer worm
(http://isc.incidents.org/analysis.html?id=180)

Does anybody have a sample packet content from this worm? We might be
having a firewall block of course, but now it would be interesting to
monitor outgoing traffic to UDP 1434, if there are infected systems
on-site (which were infected before the block was applied).

I am not that experienced in signature writing, but should this match any
traffic to UDP 1434 from our network? The another rule is supposed to
report any traffic to port 1434 in our network.

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer (udp)";)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Slammer OUTGOING (udp
)";)

Thanks for help,
Jukka





More information about the Snort-sigs mailing list