MSBlast snort signatures

[<CGhercoias () TWEC COM>]

Hello,

For those interested here are the snort signatures for MSBlast worm.
We have been hit yesterday so we had to deal with it.
Still don't know how this entered in our network, via email or brought
in by a user surfing a web site, but I've seen a lot of TFTP Get over
UDP/69 comming from workstations which have no bussiness to run TFTP
servers.

alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( sid: 1000024; rev: 3; msg:
"W32/MSBLAST Worm over TFTP"; content: "|00 01 6D 73 62 6C 61 73 74 2E
65 78 65|"; offset: 0; depth: 2; reference:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.A; classtype: trojan-activity; priority: 1;)

alert udp $EXTERNAL_NET any -> $HOME_NET any ( sid: 1000025; rev: 4;
msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D 73 62 6C 61 73 74 2E 65
78 65|"; offset: 0; depth: 2; reference:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSB
LAST.A; classtype: trojan-activity; priority: 1;)

Please let me know if they were of any help.

Thank you, 
______________________________________________
Catalin Ghercoias
  
Office Phone: +(518) 452-1242 Ext.7435 
Fax: (518) 452-4768 
mail: cghercoias () twec com



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users