Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MS-SQL Worm Signature

From: Rich Adamson <radamson () routers com>
Date: Sat, 25 Jan 2003 12:04:40 -0600
Interesting... looks like maybe the Dell support site was hit. Its
still off line as of noon (CST).

------------------------

Here are a few details from the Security Incidents list:

http://www.digitaloffense.net/worms/mssql_udp_worm/

After some well needed coffee, I'm going to look into this in more detail.


At 11:06 AM 1/25/2003, Frank Reid wrote:

This rule gives me an error (aside from the trailing semicolon)...
anyone have a working version?  Thanks!

Frank

-----Original Message-----



hi all, i've done a simple signature for detecting this worm, it should
work (or at least, it works here :P)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";

flow:to_server,from_server;
content:"|684765745466b96c6c|";classtype:attempted-admin)

If there are errors plz correct me, thanx a lot to all, happy fishing :)





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: