[Snort-sigs] SQLSLAMMER signature
dmuell at ...433...
Mon Jan 27 01:45:02 EST 2003
On Mon, 27 Jan 2003, Michael.Advani at ...1219... wrote:
> I'm pretty new in this snort thingy and just wondering how do you come up
> with the 'content' part ("dllhel32hkernQhounthickChGetTf") ?
I looked at the example packet dumps that were provided at various sites :)
actually it should check for the udp packet size to be something around 490
bytes iirc, but I was too lazy to figure test for that..
Dirk (received 195 mails today)
More information about the Snort-sigs