Snort mailing list archives
RE: MS-SQL Worm Signature
From: "Frank Reid" <fcreid () ourcorner org>
Date: Sat, 25 Jan 2003 12:48:36 -0500
Thanks, Patrick... I was able to cobble together this same signature as a rough cut, although I reversed the rule to look only for traffic originating from hosts on my own backbone. The pure volume of traffic inbound to my networks makes it impractical to log... the only solution was to block all 1434/udp at the border routers. The content field may be irrelevant, as I'm dropping two packets from this ACL for every single ip transaction permitted! Pretty impressive worm! Frank -----Original Message----- From: Patrick S. Harper - CISSP [mailto:lists () internetsecurityguru com] Sent: Saturday, January 25, 2003 12:20 PM To: 'Frank Reid' Subject: RE: [Snort-users] MS-SQL Worm Signature -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 alert udp $EXTERNAL_NET any -> HOME_NET 1434 (msg: "New MS Sql Worm";) This is what I am using, I am not the best at writing snort rules and since I do not have any mssql where my sensor is it is picking up only worm traffic - -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Reid Sent: Saturday, January 25, 2003 8:07 AM To: '-=Quequero=-'; snort-users () lists sourceforge net Subject: RE: [Snort-users] MS-SQL Worm Signature This rule gives me an error (aside from the trailing semicolon)... anyone have a working version? Thanks! Frank - -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of - -=Quequero=- Sent: Saturday, January 25, 2003 9:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] MS-SQL Worm Signature hi all, i've done a simple signature for detecting this worm, it should work (or at least, it works here :P) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan"; flow:to_server,from_server; content:"|684765745466b96c6c|";classtype:attempted-admin) If there are errors plz correct me, thanx a lot to all, happy fishing :) - -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tk Linux Registered User #207978 - ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users - ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPjLHXXeEY0biJdlsEQIxLQCg7Z3mdjcwp0ZkxyukswU7idGb4kgAnjuP H6A1dQduYahkmBPqWE54/pH0 =jhJ8 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: MS-SQL Worm Signature, (continued)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)