[Snort-sigs] SQLSLAMMER signature

Dirk Mueller dmuell at ...433...
Mon Jan 27 01:45:02 EST 2003

On Mon, 27 Jan 2003, Michael.Advani at ...1219... wrote:

> I'm pretty new in this snort thingy and just wondering how do you come up
> with the 'content' part ("dllhel32hkernQhounthickChGetTf") ? 

I looked at the example packet dumps that were provided at various sites :)

actually it should check for the udp packet size to be something around 490 
bytes iirc, but I was too lazy to figure test for that..

Dirk (received 195 mails today)

More information about the Snort-sigs mailing list