[Snort-sigs] MS-SQL Slammer worm signature

Arjen De Landgraaf arjen.de.landgraaf at ...894...
Mon Jan 27 12:38:23 EST 2003


You find all the info attached as text file
Regards,
Arjen 
New Zealand


-----Original Message-----
From: Jukka Juslin [mailto:jtjuslin at ...1151...]
Sent: Monday, 27 January 2003 9:34 p.m.
To: Snort Sigs
Subject: [Snort-sigs] MS-SQL Slammer worm signature



About the current MS-SQL Slammer worm
(http://isc.incidents.org/analysis.html?id=180)

Does anybody have a sample packet content from this worm? We might be
having a firewall block of course, but now it would be interesting to
monitor outgoing traffic to UDP 1434, if there are infected systems
on-site (which were infected before the block was applied).

I am not that experienced in signature writing, but should this match any
traffic to UDP 1434 from our network? The another rule is supposed to
report any traffic to port 1434 in our network.

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer (udp)";)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Slammer OUTGOING
(udp
)";)

Thanks for help,
Jukka



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Full dump Updated.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030127/685fc2f6/attachment.txt>


More information about the Snort-sigs mailing list