Snort mailing list archives
Re: [Snort-sigs] Slapper signature ??
From: Ashley Thomas <athomas () cc gatech edu>
Date: Wed, 08 Jan 2003 12:40:08 -0500
Yeah, even i think that 0000 is incorrect.Old ? I still see them on my network.. and the snort signature was not alerting..that's why i was wondering..
Thanks. Jukka Juslin wrote:
On Tue, 7 Jan 2003, Ashley Thomas wrote: ->Hi all, -> ->Snort signature for detecting slapper worm's communication messages is - -> ->alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper ->worm admin traffic"; ->content:"|0000 4500 0045 0000 4000|"; offset:0; depth:10; ->classtype:trojan-activity; ->reference:url,www.cert.org/advisories/CA-2002-27.html; ->reference:url,isc.incidents.org/analysis.html?id=167; sid:1889; rev:3;) -> ->Should we be matching for content: "|0000 4500 0045 0000 4000|"; ->or ->content: "|4500 0045 0000 4000|"; -> ->I could not understand why the 0000 is there at the starting. I launched a test slapper attack and I was able detect it fine with content: "|4500 0045 0000 4000|". Therefore I think the 0000 is not needed. By the way, why are you so concerned with such an old attack? I think Microsoft SQL servers etc are much more targeted now (according to incidents.org). I am a bit concerned that I don't see much more new snort filters coming up for new vulnerabilities? Maybe I just have to write the filters I need by myself to accomplish what I want. Jukka Juslin M.Sc. (CS) European Organization for Nuclear Research
-- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Slapper signature ?? Ashley Thomas (Jan 06)
- Re: [Snort-sigs] Slapper signature ?? Jukka Juslin (Jan 09)
- Re: [Snort-sigs] Slapper signature ?? Ashley Thomas (Jan 08)
- Re: [Snort-sigs] Slapper signature ?? Jukka Juslin (Jan 09)