Snort mailing list archives
RE: MS-SQL Worm Signature
From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Mon, 27 Jan 2003 14:57:46 -0600
I downloaded the one off the snort.org page, and it works quite well. Just make sure you don't switch it to monitor your home_net -> external_net. I did that so I could check on machines internally and it managed to generate about 1 million+ events in my database. This was from one host! So not only did it cause a DoS on the network, but DoS on my IDS too :) Checking for External_net to Home_net should be fine, but I blocked UDP port 1434 at the router on Saturday when I was up at 3am so no use in trying to detect it. At the moment, I'm using tcpdump -nn net <home_net> and udp and port 1434. When one pops up, you can see it real quick. Derek -----Original Message----- From: Frank Reid [mailto:reid.frank () mail navy mil] Sent: Saturday, January 25, 2003 9:28 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] MS-SQL Worm Signature Snort says this rule is invalid (assumedly based on the content string?) Anyone have a working version? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of -=Quequero=- Sent: Saturday, January 25, 2003 9:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] MS-SQL Worm Signature hi all, i've done a simple signature for detecting this worm, it should work (or at least, it works here :P) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan"; flow:to_server,from_server; content:"|684765745466b96c6c|";classtype:attempted-admin) If there are errors plz correct me, thanx a lot to all, happy fishing :) -=Quequero=- SpP/Member www.spippolatori.com UIC Founder www.quequero.tk Linux Registered User #207978 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: MS-SQL Worm Signature, (continued)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Rich Adamson (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 25)
- RE: MS-SQL Worm Signature Frank Reid (Jan 27)
- Re: MS-SQL Worm Signature Erick Mechler (Jan 27)
- RE: MS-SQL Worm Signature Gordon Cunningham (Jan 27)
- Re: MS-SQL Worm Signature Martin Roesch (Jan 27)
- RE: MS-SQL Worm Signature Frank Reid (Jan 25)
- Re: MS-SQL Worm Signature -=Quequero=- (Jan 25)
- RE: MS-SQL Worm Signature O'Flynn, Derek (Jan 27)