Snort mailing list archives
RE: Sasser.b Worm Signature and Information
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Sun, 2 May 2004 10:06:35 -0400
I believe that the current worm will be detected by the following rule, SID: 2514 RULE MSG: NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt I have actually seen the exploits for this vulnerability triggering this rule (three different pieces of code to be exact). So I believe that worm will also trigger this rule when it comes knocking on the door.... Good luck! vjl -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark.Schutzmann () Omron com Sent: Saturday, May 01, 2004 11:39 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Sasser.b Worm Signature and Information All, Please review the following links for Snort Signature and details of the MS04-011 Windows exploit for LSASS: SANS Analysis and SNORT SIG http://www.incidents.org/diary.php?date=2004-05-01&isc=e363681119d768565232c 3a7b6ae2b7e LURQ's Detailed Analysis http://www.lurhq.com/sasser.html Microsoft's Information: http://www.microsoft.com/security/incident/sasser.asp Best Regards, Mark ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sasser.b Worm Signature and Information Mark . Schutzmann (May 01)
- <Possible follow-ups>
- RE: Sasser.b Worm Signature and Information larosa, vjay (May 02)
- RE: Sasser.b Worm Signature and Information larosa, vjay (May 02)