Snort mailing list archives
MSBlast snort signatures
From: <CGhercoias () TWEC COM>
Date: Tue, 12 Aug 2003 21:28:36 -0400
Hello, For those interested here are the snort signatures for MSBlast worm. We have been hit yesterday so we had to deal with it. Still don't know how this entered in our network, via email or brought in by a user surfing a web site, but I've seen a lot of TFTP Get over UDP/69 comming from workstations which have no bussiness to run TFTP servers. alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 3; msg: "W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.A; classtype: trojan-activity; priority: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 4; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB LAST.A; classtype: trojan-activity; priority: 1;) Please let me know if they were of any help. Thank you, ______________________________________________ Catalin Ghercoias Office Phone: +(518) 452-1242 Ext.7435 Fax: (518) 452-4768 mail: cghercoias () twec com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MSBlast snort signatures CGhercoias (Aug 12)
- <Possible follow-ups>
- re: MSBlast snort signatures Tom Sevy (Aug 13)