[Snort-users] re: MSBlast snort signatures

Tom Sevy tsevy at ...1701...
Wed Aug 13 06:45:08 EDT 2003


1) Does anyone else think this should say any --> any so as to catch events
if someone brings in a laptop that got infected at home, etc?



2) the reference: needs to say reference: url, www....



Hello,

For those interested here are the snort signatures for MSBlast worm.

We have been hit yesterday so we had to deal with it.

Still don't know how this entered in our network, via email or brought

in by a user surfing a web site, but I've seen a lot of TFTP Get over

UDP/69 comming from workstations which have no bussiness to run TFTP

servers.

alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 3; msg:

"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E

65 78 65|"; offset: 0; depth: 2; reference:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB

LAST.A; classtype: trojan-activity; priority: 1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 4;

msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65

78 65|"; offset: 0; depth: 2; reference:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB

LAST.A; classtype: trojan-activity; priority: 1;)

Please let me know if they were of any help.

Thank you,

______________________________________________

Catalin Ghercoias


Office Phone: +(518) 452-1242 Ext.7435

Fax: (518) 452-4768

mail: cghercoias at ...8617...





-------------------------------------------------------

This SF.Net email sponsored by: Free pre-built ASP.NET sites including

Data Reports, E-commerce, Portals, and Forums are available now.

Download today and enter to win an XBOX or Visual Studio .NET.

http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list