[Snort-users] MS-SQL Worm Signature

Martin Roesch roesch at ...1935...
Mon Jan 27 15:20:02 EST 2003


That flow option is wrong.  You can't have "flow" in non-TCP rules.

     -Marty


On 1/25/03 10:27 AM, "Frank Reid" <reid.frank at ...4336...> wrote:

> Snort says this rule is invalid (assumedly based on the content string?)
> Anyone have a working version?
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> -=Quequero=-
> Sent: Saturday, January 25, 2003 9:16 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] MS-SQL Worm Signature
> 
> 
> hi all, i've done a simple signature for detecting this worm, it should
> work (or at least, it works here :P)
> 
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";
> 
> flow:to_server,from_server;
> content:"|684765745466b96c6c|";classtype:attempted-admin)
> 
> If there are errors plz correct me, thanx a lot to all, happy fishing :)
> 
> 
> -=Quequero=-
> SpP/Member www.spippolatori.com
> UIC Founder www.quequero.tk
> Linux Registered User #207978
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list