Snort mailing list archives
Re: MS-SQL Worm Signature
From: -=Quequero=- <quequero () bitchx it>
Date: Sat, 25 Jan 2003 20:42:53 +0100
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity";content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;)
This worm does:
81 f1 03 01 04 9b xor ecx, 9B040103h
81 f1 01 01 01 01 xor ecx, 1010101h
51 push ecx
9B040103 xor 1010101 = 9A050002 = port 1434 -> AF_INET
So i think this sequence is unique enough to be used for a signature
like:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity";
content:"|81f10301049b81f101|"; classtype:bad-unknown; sid:9994; rev:1;) What do you think? -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tkLinux Registered User #207978
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: MS-SQL Worm Signature, (continued)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)