[Snort-users] MS-SQL Worm Signature

O'Flynn, Derek DOFlyn at ...6551...
Mon Jan 27 12:58:12 EST 2003


I downloaded the one off the snort.org page, and it works quite well.  Just
make sure you don't switch it to monitor your home_net -> external_net.  I
did that so I could check on machines internally and it managed to generate
about 1 million+ events in my database.  This was from one host!  So not
only did it cause a DoS on the network, but DoS on my IDS too :)

Checking for External_net to Home_net should be fine, but I blocked UDP port
1434 at the router on Saturday when I was up at 3am so no use in trying to
detect it.

At the moment, I'm using tcpdump -nn net <home_net> and udp and port 1434.
When one pops up, you can see it real quick.

Derek

-----Original Message-----
From: Frank Reid [mailto:reid.frank at ...4336...] 
Sent: Saturday, January 25, 2003 9:28 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] MS-SQL Worm Signature

Snort says this rule is invalid (assumedly based on the content string?)
Anyone have a working version?

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
-=Quequero=-
Sent: Saturday, January 25, 2003 9:16 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] MS-SQL Worm Signature


hi all, i've done a simple signature for detecting this worm, it should 
work (or at least, it works here :P)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";

flow:to_server,from_server; 
content:"|684765745466b96c6c|";classtype:attempted-admin)

If there are errors plz correct me, thanx a lot to all, happy fishing :)


-=Quequero=-
SpP/Member www.spippolatori.com
UIC Founder www.quequero.tk
Linux Registered User #207978 



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030127/39a817d0/attachment.html>


More information about the Snort-users mailing list