[Snort-sigs] MS-SQL Slammer worm signature

Jonas Eriksson je at ...1233...
Mon Jan 27 12:38:26 EST 2003


On Mon, 27 Jan 2003, Jukka Juslin wrote:

>
> About the current MS-SQL Slammer worm
> (http://isc.incidents.org/analysis.html?id=180)
>
> Does anybody have a sample packet content from this worm? We might be
> having a firewall block of course, but now it would be interesting to
> monitor outgoing traffic to UDP 1434, if there are infected systems
> on-site (which were infected before the block was applied).
>
> I am not that experienced in signature writing, but should this match any
> traffic to UDP 1434 from our network? The another rule is supposed to
> report any traffic to port 1434 in our network.
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer (udp)";)
> alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Slammer OUTGOING (udp
> )";)

Here is a packet capture (pcap format)

http://www.boredom.org/~cstone/onepacket



Regards
Jonas Eriksson


>
> Thanks for help,
> Jukka
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>


--
 Favourite pickup line: Hey baby, wanna synchronize sequence numbers?
 Warning: not always effective






More information about the Snort-sigs mailing list