Snort mailing list archives
Re: MS-SQL Worm Signature
From: Martin Roesch <roesch () sourcefire com>
Date: Sat, 25 Jan 2003 23:41:44 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Nope, they support the Snort rules language (at least partially) in the Manhunt product, although we don't know how completely they've implemented Snort rules language support...
BTW, there is a rule for the SQL Slammer worm up at snort.org that we've tested and approved for release. I like eEye's name "Sapphire" better than SQL Slammer in case anyone is wondering, but that's just me... :)
-Marty On Saturday, January 25, 2003, at 01:21 PM, Frank Reid wrote:
- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616I found this one on Symantec's ManHunt at:http://securityresponse.symantec.com/avcenter/venc/data/ w32.sqlexp.worm.html#technicaldetails alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;) It seems to work perfectly as a Snort rule... is this just coincidence that they used the same syntax? Frank -----Original Message----- From: Rich Adamson [mailto:radamson () routers com] Sent: Saturday, January 25, 2003 12:58 PM To: '-=Quequero=-'; Frank Reid; snort-users () lists sourceforge net Subject: RE: [Snort-users] MS-SQL Worm Signature This one is alerting as I write this email: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;) ------------------------ From: Frank Reid <fcreid () ourcorner org> Subject: RE: [Snort-users] MS-SQL Worm Signature Date: Sat, 25 Jan 2003 11:06:46 -0500 To: '-=Quequero=-' <quequero () bitchx it>, snort-users () lists sourceforge netThis rule gives me an error (aside from the trailing semicolon)... anyone have a working version? Thanks! Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of -=Quequero=- Sent: Saturday, January 25, 2003 9:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] MS-SQL Worm Signature hi all, i've done a simple signature for detecting this worm, it should work (or at least, it works here :P) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan"; flow:to_server,from_server; content:"|684765745466b96c6c|";classtype:attempted-admin) If there are errors plz correct me, thanx a lot to all, happy fishing :) -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tk Linux Registered User #207978 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---------------End of Original Message----------------- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+M2cQqj0FAQQ3KOARAmLxAJ9x7coEDUw53rBz723tHHpKaKWSZwCeMuYK S25rZM/NZTuiqQAmkuHVqNM= =7dbP -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Jim Laverty (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- <Possible follow-ups>
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)