[Snort-sigs] Would these sasser rules catch all sasser variants?

Matthew Watchinski mwatchinski at ...435...
Wed Aug 4 20:56:08 EDT 2004

At first glance probably not.

Since the Sasser worm utilizes the LSASS vulnerability (ms04-011) the 
best way to find it is to find things attempting to exploit this 
vulnerability.  See SIDs 2514, 2511, 2508


Lin Zhong wrote:

>Hi, I am now doing a research related to Sasser worm. 
>I used the following two rules to capture the sasser worm code transfer activity. I assumed that the sasser a - f variants have the similar worm code. But I am not sure whether the rules would be able to catch all sasser worm code transfer activities. Has anybody used this rules for sasser before? Would the following two rules capture all Sasser variants? 
>Thank you very much.
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.a [NAI])"; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; classtype:misc-activity;sid:1000003;rev:1;)
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"W32/Sasser.worm.b [NAI])"; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; classtype:misc-activity;sid:1000004;rev:1;)
>This SF.Net email is sponsored by OSTG. Have you noticed the changes on
>Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
>one more big change to announce. We are now OSTG- Open Source Technology
>Group. Come see the changes on the new OSTG site. www.ostg.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list