[Snort-users] MS-SQL Worm Signature

Frank Reid fcreid at ...691...
Sat Jan 25 10:21:01 EST 2003


I found this one on Symantec's ManHunt at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.
html#technicaldetails

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm
propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|";
content:"|04|"; offset:0; depth:1;)

It seems to work perfectly as a Snort rule... is this just coincidence
that they used the same syntax?

Frank


-----Original Message-----
From: Rich Adamson [mailto:radamson at ...2127...] 
Sent: Saturday, January 25, 2003 12:58 PM
To: '-=Quequero=-'; Frank Reid; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MS-SQL Worm Signature


This one is alerting as I write this email:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; 
content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994;
rev:1;)


------------------------
  From: Frank Reid <fcreid at ...691...>
  Subject: RE: [Snort-users] MS-SQL Worm Signature
  Date: Sat, 25 Jan 2003 11:06:46 -0500 
  To: '-=Quequero=-' <quequero at ...8067...>,
snort-users at lists.sourceforge.net


> This rule gives me an error (aside from the trailing semicolon)... 
> anyone have a working version?  Thanks!
> 
> Frank
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> -=Quequero=-
> Sent: Saturday, January 25, 2003 9:16 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] MS-SQL Worm Signature
> 
> 
> hi all, i've done a simple signature for detecting this worm, it 
> should
> work (or at least, it works here :P)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm 
> Scan";
> 
> flow:to_server,from_server;
> content:"|684765745466b96c6c|";classtype:attempted-admin)
> 
> If there are errors plz correct me, thanx a lot to all, happy fishing 
> :)
> 
> 
> -=Quequero=-
> SpP/Member www.spippolatori.com
> UIC Founder www.quequero.tk
> Linux Registered User #207978
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! 
> http://www.vasoftware.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! 
> http://www.vasoftware.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------End of Original Message-----------------






More information about the Snort-users mailing list