[Snort-users] MS-SQL Worm Signature

Rich Adamson radamson at ...2127...
Sat Jan 25 10:07:03 EST 2003


Interesting... looks like maybe the Dell support site was hit. Its
still off line as of noon (CST).

------------------------
> Here are a few details from the Security Incidents list:
> 
> http://www.digitaloffense.net/worms/mssql_udp_worm/
> 
> After some well needed coffee, I'm going to look into this in more detail.
> 
> 
> At 11:06 AM 1/25/2003, Frank Reid wrote:
> >This rule gives me an error (aside from the trailing semicolon)...
> >anyone have a working version?  Thanks!
> >
> >Frank
> >
> >-----Original Message-----

> >hi all, i've done a simple signature for detecting this worm, it should
> >work (or at least, it works here :P)
> >
> >alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";
> >
> >flow:to_server,from_server;
> >content:"|684765745466b96c6c|";classtype:attempted-admin)
> >
> >If there are errors plz correct me, thanx a lot to all, happy fishing :)
> >





More information about the Snort-users mailing list