Snort rules for "Sapphire" Worm

North American Network Operators Group

Snort rules for "Sapphire" Worm

From: James-lists
Date: Sat Jan 25 20:32:21 2003

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm
Scan";content:"|684765745466b96c6c|";classtype:attempted-admin;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER";
content:"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity";content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9994; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"W32.SQLEXP.Wormpropagation"; content:"|68 2E 64 6C 6C 68 65 6C 33
32 68 6B 65 72 6E|";content:"|04|"; offset:0; depth:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer
WormActivity";content:"|81f10301049b81f101|"; classtype:bad-unknown;
sid:9994; rev:1;)

Swap external and home net to see both vectors
for this worm.

james

Prev by Date: Re: Tracing where it started
Next by Date: Re: Level3 routing issues?
Date Index
Thread Index
Author Index
Historical