Snort mailing list archives
Slapper signature ??
From: Ashley Thomas <athomas () cc gatech edu>
Date: Tue, 07 Jan 2003 01:48:55 -0500
Hi all, Snort signature for detecting slapper worm's communication messages is -alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10; classtype:trojan-activity; reference:url,www.cert.org/advisories/CA-2002-27.html;
reference:url,isc.incidents.org/analysis.html?id=167; sid:1889; rev:3;) Should we be matching for content: "|0000 4500 0045 0000 4000|"; or content: "|4500 0045 0000 4000|"; I could not understand why the 0000 is there at the starting.I saw this example on the internet - Notice the 0x0000 which is the part of the program ( tcpdump / snoop or whatever ). I hope that is not the 0000 which has been included in
the signature. Could anyone please explain ? Thanks a lot.14:14:23.705193 IP ns.lingv.ro.2002 > xx.yy.116.27.2002: type: 0 chksum: be91 id: 6338f02b tag: 26 id: 7b279513 len: 29 seq: 5c8fa1c1 | route sync=1 hops=5 server=0 links=11678 [slapper] (DF)
0x0000 4500 0045 0000 4000 2b11 b5e2 c1e6 2582 E..E..@.+.....%. 0x0010 yyxx 741b 07d2 07d2 0031 f1ce 0000 0000 yxt......1...... 0x0020 91be 0000 2bf0 3863 2600 0000 1395 277b ....+.8c&.....'{ 0x0030 1d00 0000 c1a1 8f5c 0105 0000 0000 0000 .......\........ 0x0040 9e2d 0000 00 .-... Regards, Ashley -- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Slapper signature ?? Ashley Thomas (Jan 06)
- Re: [Snort-sigs] Slapper signature ?? Jukka Juslin (Jan 09)
- Re: [Snort-sigs] Slapper signature ?? Ashley Thomas (Jan 08)
- Re: [Snort-sigs] Slapper signature ?? Jukka Juslin (Jan 09)