[Bro] Sasser Policy?

Mike Hsiao hsiaom26 at hotmail.com
Wed Oct 17 09:01:00 PDT 2007


Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
And the policy script blaster.bro can detects instances of the W32.Blaster.

Is there any policy that can be used for detecting Sasser?
Or any other scanning policy can capture the scanning event of Sasser worm?
I would like to understand how (or what approaches) Bro to detect Sasser.

Any help will be appreciated, thanks.


More information about the Bro mailing list