[Snort-users] MS SQL activity

Rich Adamson radamson at ...2127...
Sat Jan 25 10:32:07 EST 2003

For those reacting to the MS SQL issue, here's someone's snort rule
that has been alerting fine at our location:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity"; 
content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;)

I'd also expect to see many different variations on "content", therefore
keeping the rule as simple as possible is probably in order.

An excellent technical narrative describing the detail behind the bug 
can be found at:

Cisco access list filters at one small ISP indicated:
 547 attempts within 30 seconds of installing the ACL this morning
 14,486 attempts within 30 minutes
 63,910 attempts within 2 hours

More information about the Snort-users mailing list