[Snort-users] MS-SQL Worm Signature

Jim Laverty jlaverty at ...3130...
Sat Jan 25 08:56:04 EST 2003


Here are a few details from the Security Incidents list:

http://www.digitaloffense.net/worms/mssql_udp_worm/

After some well needed coffee, I'm going to look into this in more detail.


At 11:06 AM 1/25/2003, Frank Reid wrote:
>This rule gives me an error (aside from the trailing semicolon)...
>anyone have a working version?  Thanks!
>
>Frank
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
>-=Quequero=-
>Sent: Saturday, January 25, 2003 9:16 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] MS-SQL Worm Signature
>
>
>hi all, i've done a simple signature for detecting this worm, it should
>work (or at least, it works here :P)
>
>alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";
>
>flow:to_server,from_server;
>content:"|684765745466b96c6c|";classtype:attempted-admin)
>
>If there are errors plz correct me, thanx a lot to all, happy fishing :)
>
>
>-=Quequero=-
>SpP/Member www.spippolatori.com
>UIC Founder www.quequero.tk
>Linux Registered User #207978
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list