Snort mailing list archives
RE: MS-SQL Worm Signature
From: Jim Laverty <jlaverty () snet net>
Date: Sat, 25 Jan 2003 11:57:38 -0500
Here are a few details from the Security Incidents list: http://www.digitaloffense.net/worms/mssql_udp_worm/ After some well needed coffee, I'm going to look into this in more detail. At 11:06 AM 1/25/2003, Frank Reid wrote:
This rule gives me an error (aside from the trailing semicolon)... anyone have a working version? Thanks! Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of -=Quequero=- Sent: Saturday, January 25, 2003 9:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] MS-SQL Worm Signature hi all, i've done a simple signature for detecting this worm, it should work (or at least, it works here :P) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan"; flow:to_server,from_server; content:"|684765745466b96c6c|";classtype:attempted-admin) If there are errors plz correct me, thanx a lot to all, happy fishing :) -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tk Linux Registered User #207978 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- <Possible follow-ups>
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)