[Snort-users] SQLsnake - any able to create a sig for this one?

Matt Kettler mkettler at ...4108...
Wed May 22 12:52:06 EDT 2002


You're certainly not the only one. Check out these quick greps on a weekly 
logrotate set from my firewall for what's been caught so far this week, vs 
the prior 2 weeks. Going back several more weeks yields a variety of 
numbers between 0 and 60.


# grep "/1433" xxxxx | wc -l
    2460
# grep "/1433" xxxxx.1 | wc -l
       0
# grep "/1433" xxxxx.2 | wc -l
      15

One of these numbers is not like the others....

At 10:47 AM 5/22/2002 +0200, Roberto Suarez Soto wrote:
>On May/21, john at ...5909... wrote:
>
> > Has anyone be able to put together a sig for the scanning done bye SQLsnake
> > (the MSSQL worm) which supposedly uses "fscan.exe" packaged as another 
> file.
> > A full code analysis and facts about it can be found here:
> > http://www.incidents.org/diary/diary.php?id=157.
>
>         This explains why I noticed such a huge amount of probes to 1433/tcp
>these last days :-) Was I the only one?
>
>--
>Roberto Suarez Soto                                     Alfa21 Outsourcing
>     robe at ...3881...                                  http://www.alfa21.com
>
>_______________________________________________________________
>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list