Snort mailing list archives

Previous By Date Next
Previous By Thread Next

MS SQL activity

From: Rich Adamson <radamson () routers com>
Date: Sat, 25 Jan 2003 12:09:32 -0600

For those reacting to the MS SQL issue, here's someone's snort rule
that has been alerting fine at our location:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity"; 
content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;)

I'd also expect to see many different variations on "content", therefore
keeping the rule as simple as possible is probably in order.

An excellent technical narrative describing the detail behind the bug 
can be found at:
  http://www.nextgenss.com/advisories/mssql-udp.txt

Cisco access list filters at one small ISP indicated:
 547 attempts within 30 seconds of installing the ACL this morning
 14,486 attempts within 30 minutes
 63,910 attempts within 2 hours




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: