[Snort-users] MSBlast snort signatures

CGhercoias at ...8619... CGhercoias at ...8619...
Tue Aug 12 18:41:02 EDT 2003


Hello,

For those interested here are the snort signatures for MSBlast worm.
We have been hit yesterday so we had to deal with it.
Still don't know how this entered in our network, via email or brought
in by a user surfing a web site, but I've seen a lot of TFTP Get over
UDP/69 comming from workstations which have no bussiness to run TFTP
servers.

alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 3; msg:
"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E
65 78 65|"; offset: 0; depth: 2; reference:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.A; classtype: trojan-activity; priority: 1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 4;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.A; classtype: trojan-activity; priority: 1;)

Please let me know if they were of any help.

Thank you, 
______________________________________________
Catalin Ghercoias
  
Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
mail: cghercoias at ...8617...





More information about the Snort-users mailing list