[Snort-users] SQLsnake - any able to create a sig for this one?
mkettler at ...4108...
Wed May 22 12:52:06 EDT 2002
You're certainly not the only one. Check out these quick greps on a weekly
logrotate set from my firewall for what's been caught so far this week, vs
the prior 2 weeks. Going back several more weeks yields a variety of
numbers between 0 and 60.
# grep "/1433" xxxxx | wc -l
# grep "/1433" xxxxx.1 | wc -l
# grep "/1433" xxxxx.2 | wc -l
One of these numbers is not like the others....
At 10:47 AM 5/22/2002 +0200, Roberto Suarez Soto wrote:
>On May/21, john at ...5909... wrote:
> > Has anyone be able to put together a sig for the scanning done bye SQLsnake
> > (the MSSQL worm) which supposedly uses "fscan.exe" packaged as another
> > A full code analysis and facts about it can be found here:
> > http://www.incidents.org/diary/diary.php?id=157.
> This explains why I noticed such a huge amount of probes to 1433/tcp
>these last days :-) Was I the only one?
>Roberto Suarez Soto Alfa21 Outsourcing
> robe at ...3881... http://www.alfa21.com
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users