Snort mailing list archives
Re: MS-SQL Worm Signature
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 27 Jan 2003 18:18:37 -0500
That flow option is wrong. You can't have "flow" in non-TCP rules. -Marty On 1/25/03 10:27 AM, "Frank Reid" <reid.frank () mail navy mil> wrote:
Snort says this rule is invalid (assumedly based on the content string?) Anyone have a working version? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of -=Quequero=- Sent: Saturday, January 25, 2003 9:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] MS-SQL Worm Signature hi all, i've done a simple signature for detecting this worm, it should work (or at least, it works here :P) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan"; flow:to_server,from_server; content:"|684765745466b96c6c|";classtype:attempted-admin) If there are errors plz correct me, thanx a lot to all, happy fishing :) -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tk Linux Registered User #207978 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- <Possible follow-ups>
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)