Snort mailing list archives

RE: MS-SQL Worm Signature

From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Mon, 27 Jan 2003 14:57:46 -0600

I downloaded the one off the snort.org page, and it works quite well.  Just
make sure you don't switch it to monitor your home_net -> external_net.  I
did that so I could check on machines internally and it managed to generate
about 1 million+ events in my database.  This was from one host!  So not
only did it cause a DoS on the network, but DoS on my IDS too :)

Checking for External_net to Home_net should be fine, but I blocked UDP port
1434 at the router on Saturday when I was up at 3am so no use in trying to
detect it.

At the moment, I'm using tcpdump -nn net <home_net> and udp and port 1434.
When one pops up, you can see it real quick.

Derek

-----Original Message-----
From: Frank Reid [mailto:reid.frank () mail navy mil] 
Sent: Saturday, January 25, 2003 9:28 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] MS-SQL Worm Signature

Snort says this rule is invalid (assumedly based on the content string?)
Anyone have a working version?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
-=Quequero=-
Sent: Saturday, January 25, 2003 9:16 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MS-SQL Worm Signature


hi all, i've done a simple signature for detecting this worm, it should 
work (or at least, it works here :P)

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";

flow:to_server,from_server; 
content:"|684765745466b96c6c|";classtype:attempted-admin)

If there are errors plz correct me, thanx a lot to all, happy fishing :)


-=Quequero=-
SpP/Member www.spippolatori.com
UIC Founder www.quequero.tk
Linux Registered User #207978 



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: MS-SQL Worm Signature, (continued)
- - - RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
  - RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
    - RE: MS-SQL Worm Signature Frank Reid (Jan 25)
    - Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
  - Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
  - RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
  - Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)