Snort mailing list archives
MS SQL activity
From: Rich Adamson <radamson () routers com>
Date: Sat, 25 Jan 2003 12:09:32 -0600
For those reacting to the MS SQL issue, here's someone's snort rule that has been alerting fine at our location: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;) I'd also expect to see many different variations on "content", therefore keeping the rule as simple as possible is probably in order. An excellent technical narrative describing the detail behind the bug can be found at: http://www.nextgenss.com/advisories/mssql-udp.txt Cisco access list filters at one small ISP indicated: 547 attempts within 30 seconds of installing the ACL this morning 14,486 attempts within 30 minutes 63,910 attempts within 2 hours ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS SQL activity Rich Adamson (Jan 25)