[Snort-sigs] LSA Exploit rule

Jens-Harald.Johansen at ...2457... Jens-Harald.Johansen at ...2457...
Wed May 5 02:47:05 EDT 2004


Yesterday I tried to create a rule which alerts on the LSA Exploit used by
the Sasser worm.
Haven't seen any of the Sasser.d here yet so I'm not sure if it can be used
for detecting that one.

So far I haven't seen any false-positive.

Any comments on this one ?

alert tcp any any -> $HOME_NET 445 ( msg:"LSA exploit"; content:"
 offset:78; depth:192; flags:A+; classtype: misc-activity; sid:4000001;

Jens-Harald Johansen
Hydro IS Partner
Int: 138 - 8808
Tlf: +47 22 53 88 08
Mob: +47 934 45 413

There are 10 kinds of people in the world: Those who understand binary and
those who don't...

-------------- next part --------------

NOTICE: This e-mail transmission, and any documents, files or previous
e-mail messages attached to it, may contain confidential or privileged
information. If you are not the intended recipient, or a person
responsible for delivering it to the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of
any of the information contained in or attached to this message is
STRICTLY PROHIBITED. If you have received this transmission in error,
please immediately notify the sender and delete the e-mail and attached
documents. Thank you.

More information about the Snort-sigs mailing list