slammer
Robin Sommer
sommer at in.tum.de
Wed Jan 29 01:29:42 PST 2003
On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar (UMKC-Student) wrote:
> Is slammer worm's signature added to Bro?
Using snort2bro, I've converted some of the various Snort
signatures flyring around to Bro's syntax (of course, you've to
replace 192.168.0.1/16 with your subnet(s)):
----- cut ------------------------------------------------------------
signature slammer1 {
ip-proto == udp
src-ip == 192.168.0.1/16
dst-ip != 192.168.0.1/16
dst-port == 1434
event "SQLSLAMMER"
payload /.*dllhel32hkernQhounthickChGetTf/
}
signature slammer2 {
ip-proto == udp
src-ip != 192.168.0.1/16
dst-ip == 192.168.0.1/16
dst-port == 1434
event "HELL-SQL Worm Scan"
payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/
}
signature slammer3 {
ip-proto == udp
src-ip != 192.168.0.1/16
dst-ip == 192.168.0.1/16
dst-port == 1434
event "MS-SQL Slammer Worm Activity"
payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/
}
signature slammer4 {
ip-proto == udp
src-ip != 192.168.0.1/16
dst-ip == 192.168.0.1/16
dst-port == 1434
event "W32.SQLEXP.Wormpropagation"
payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/
payload /\x04/
}
signature slammer5 {
ip-proto == udp
src-ip != 192.168.0.1/16
dst-ip == 192.168.0.1/16
dst-port == 1434
event "MS-SQL Slammer WormActivity"
payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
}
----- cut ------------------------------------------------------------
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Munich * Phone (089) 289-18006 * sommer at in.tum.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030129/2f5cb5d0/attachment.bin
More information about the Bro
mailing list