RE: MS-SQL Worm Signature

["Frank Reid" <fcreid () ourcorner org>]

Thanks, Patrick... I was able to cobble together this same signature as
a rough cut, although I reversed the rule to look only for traffic
originating from hosts on my own backbone.  The pure volume of traffic
inbound to my networks makes it impractical to log... the only solution
was to block all 1434/udp at the border routers.  The content field may
be irrelevant, as I'm dropping two packets from this ACL for every
single ip transaction permitted!

Pretty impressive worm!

Frank

-----Original Message-----
From: Patrick S. Harper - CISSP [mailto:lists () internetsecurityguru com] 
Sent: Saturday, January 25, 2003 12:20 PM
To: 'Frank Reid'
Subject: RE: [Snort-users] MS-SQL Worm Signature


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

alert udp $EXTERNAL_NET any -> HOME_NET 1434 (msg: "New MS Sql Worm";) 


This is what I am using, I am not the best at writing snort rules and
since I do not have any mssql where my sensor is it is picking up only
worm traffic

- -----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Reid
Sent: Saturday, January 25, 2003 8:07 AM
To: '-=Quequero=-'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] MS-SQL Worm Signature


This rule gives me an error (aside from the trailing semicolon)...
anyone have a working version?  Thanks!

Frank

- -----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
- -=Quequero=-
Sent: Saturday, January 25, 2003 9:16 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MS-SQL Worm Signature


hi all, i've done a simple signature for detecting this worm, it should 
work (or at least, it works here :P)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";

flow:to_server,from_server; 
content:"|684765745466b96c6c|";classtype:attempted-admin)

If there are errors plz correct me, thanx a lot to all, happy fishing :)


- -=Quequero=-
SpP/Member www.spippolatori.com
UIC Founder www.quequero.tk
Linux Registered User #207978 



- -------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




- -------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPjLHXXeEY0biJdlsEQIxLQCg7Z3mdjcwp0ZkxyukswU7idGb4kgAnjuP
H6A1dQduYahkmBPqWE54/pH0
=jhJ8
-----END PGP SIGNATURE-----




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users