[Snort-users] MS SQL activity
radamson at ...2127...
Sat Jan 25 10:32:07 EST 2003
For those reacting to the MS SQL issue, here's someone's snort rule
that has been alerting fine at our location:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity";
content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;)
I'd also expect to see many different variations on "content", therefore
keeping the rule as simple as possible is probably in order.
An excellent technical narrative describing the detail behind the bug
can be found at:
Cisco access list filters at one small ISP indicated:
547 attempts within 30 seconds of installing the ACL this morning
14,486 attempts within 30 minutes
63,910 attempts within 2 hours
More information about the Snort-users