[55222] in North American Network Operators' Group
Snort rules for "Sapphire" Worm
daemon@ATHENA.MIT.EDU (James-lists)
Sat Jan 25 20:29:58 2003
From: "James-lists" <hackerwacker@cybermesa.com>
To: <nanog@merit.edu>
Date: Sat, 25 Jan 2003 17:12:28 -0700
Errors-To: owner-nanog-outgoing@merit.edu
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm
Scan";content:"|684765745466b96c6c|";classtype:attempted-admin;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER";
content:"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity";content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9994; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"W32.SQLEXP.Wormpropagation"; content:"|68 2E 64 6C 6C 68 65 6C 33
32 68 6B 65 72 6E|";content:"|04|"; offset:0; depth:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer
WormActivity";content:"|81f10301049b81f101|"; classtype:bad-unknown;
sid:9994; rev:1;)
Swap external and home net to see both vectors
for this worm.
james
