Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Slapper signature ??

From: Ashley Thomas <athomas () cc gatech edu>
Date: Wed, 08 Jan 2003 12:40:08 -0500
Yeah, even i think that 0000 is incorrect.
Old ? I still see them on my network.. and the snort signature was not alerting..that's why i was wondering.. 
Thanks.

Jukka Juslin wrote:


On Tue, 7 Jan 2003, Ashley Thomas wrote:

->Hi all,
->
->Snort signature for detecting slapper worm's communication messages is -
->
->alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper
->worm admin traffic";
->content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10;
->classtype:trojan-activity;
->reference:url,www.cert.org/advisories/CA-2002-27.html;
->reference:url,isc.incidents.org/analysis.html?id=167; sid:1889; rev:3;)
->
->Should we be matching for content: "|0000 4500 0045 0000 4000|";
->or
->content: "|4500 0045 0000 4000|";
->
->I could not understand why the 0000 is there at the starting.

I launched a test slapper attack and I was able detect it fine with
content: "|4500 0045 0000 4000|". Therefore I think the 0000 is not
needed.

By the way, why are you so concerned with such an old attack? I think
Microsoft SQL servers etc are much more targeted now (according to
incidents.org). I am a bit concerned that I don't see much more new snort
filters coming up for new vulnerabilities?

Maybe I just have to write the filters I need by myself to accomplish what
I want.

Jukka Juslin
M.Sc. (CS)
European Organization for Nuclear Research




--
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: