[Snort-users] MS-SQL Worm Signature

Martin Roesch roesch at ...1935...
Sat Jan 25 20:44:02 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nope, they support the Snort rules language (at least partially) in the  
Manhunt product, although we don't know how completely they've  
implemented Snort rules language support...

BTW, there is a rule for the SQL Slammer worm up at snort.org that  
we've tested and approved for release.  I like eEye's name "Sapphire"  
better than SQL Slammer in case anyone is wondering, but that's just  
me... :)


      -Marty


On Saturday, January 25, 2003, at 01:21 PM, Frank Reid wrote:

> I found this one on Symantec's ManHunt at:
>
> http://securityresponse.symantec.com/avcenter/venc/data/ 
> w32.sqlexp.worm.
> html#technicaldetails
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm
> propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|";
> content:"|04|"; offset:0; depth:1;)
>
> It seems to work perfectly as a Snort rule... is this just coincidence
> that they used the same syntax?
>
> Frank
>
>
> -----Original Message-----
> From: Rich Adamson [mailto:radamson at ...2127...]
> Sent: Saturday, January 25, 2003 12:58 PM
> To: '-=Quequero=-'; Frank Reid; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] MS-SQL Worm Signature
>
>
> This one is alerting as I write this email:
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
> Activity";
> content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994;
> rev:1;)
>
>
> ------------------------
>   From: Frank Reid <fcreid at ...691...>
>   Subject: RE: [Snort-users] MS-SQL Worm Signature
>   Date: Sat, 25 Jan 2003 11:06:46 -0500
>   To: '-=Quequero=-' <quequero at ...8067...>,
> snort-users at lists.sourceforge.net
>
>
>> This rule gives me an error (aside from the trailing semicolon)...
>> anyone have a working version?  Thanks!
>>
>> Frank
>>
>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
>> -=Quequero=-
>> Sent: Saturday, January 25, 2003 9:16 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] MS-SQL Worm Signature
>>
>>
>> hi all, i've done a simple signature for detecting this worm, it
>> should
>> work (or at least, it works here :P)
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm
>> Scan";
>>
>> flow:to_server,from_server;
>> content:"|684765745466b96c6c|";classtype:attempted-admin)
>>
>> If there are errors plz correct me, thanx a lot to all, happy fishing
>> :)
>>
>>
>> -=Quequero=-
>> SpP/Member www.spippolatori.com
>> UIC Founder www.quequero.tk
>> Linux Registered User #207978
>>
>>
>>
>> -------------------------------------------------------
>> This SF.NET email is sponsored by:
>> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>> http://www.vasoftware.com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.NET email is sponsored by:
>> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>> http://www.vasoftware.com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---------------End of Original Message-----------------
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+M2cQqj0FAQQ3KOARAmLxAJ9x7coEDUw53rBz723tHHpKaKWSZwCeMuYK
S25rZM/NZTuiqQAmkuHVqNM=
=7dbP
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list