[Snort-users] SQLsnake - any able to create a sig for this one?

john at ...5909... john at ...5909...
Tue May 21 19:40:02 EDT 2002

Does anyone know if the folllowing rule will detect the SQLsnake, I know 
it uses the "xp_cmdshell" extended stored procedure on MSSQL servers to execute system commands 
(or at least that's my understanding)?  Or is there another rule?

sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL 
xp_cmdshell - program execution"; content: 
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags: 
AP; offset: 8; classtype:attempted-user; sid:687; rev:1;)


More information about the Snort-users mailing list