[Snort-sigs] Would these sasser rules catch all sasser variants?

Lin Zhong Lin.Zhong at ...2386...
Wed Aug 4 14:42:04 EDT 2004


Hi, I am now doing a research related to Sasser worm. 

I used the following two rules to capture the sasser worm code transfer activity. I assumed that the sasser a - f variants have the similar worm code. But I am not sure whether the rules would be able to catch all sasser worm code transfer activities. Has anybody used this rules for sasser before? Would the following two rules capture all Sasser variants? 

Thank you very much.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; classtype:misc-activity;sid:1000003;rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; classtype:misc-activity;sid:1000004;rev:1;)

--
Lin




More information about the Snort-sigs mailing list