slammer

Jukka JUSLIN Jukka.Juslin at cern.ch
Wed Jan 29 01:46:54 PST 2003 

Which one is better, the hexa or clear text payload matching? I suppose
the hexa is at least faster and all standard snort signatures are matching
hexadecimal. I just looked at your signatures and the first one was the
cleartext, it didn't work for me with snort.

Jukka

On Wed, 29 Jan 2003, Robin Sommer wrote:

> 
> On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar  (UMKC-Student) wrote:
> 
> > Is slammer worm's signature added to Bro?
> 
> Using snort2bro, I've converted some of the various Snort 
> signatures flyring around to Bro's syntax (of course, you've to
> replace 192.168.0.1/16 with your subnet(s)):
> 
> ----- cut ------------------------------------------------------------
> signature slammer1 {
>   ip-proto == udp
>   src-ip == 192.168.0.1/16 
>   dst-ip != 192.168.0.1/16 
>   dst-port == 1434
>   event "SQLSLAMMER"
>   payload /.*dllhel32hkernQhounthickChGetTf/
>   }
> 
> signature slammer2 {
>   ip-proto == udp
>   src-ip != 192.168.0.1/16 
>   dst-ip == 192.168.0.1/16 
>   dst-port == 1434
>   event "HELL-SQL Worm Scan"
>   payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/
>   }
> 
> signature slammer3 {
>   ip-proto == udp
>   src-ip != 192.168.0.1/16 
>   dst-ip == 192.168.0.1/16 
>   dst-port == 1434
>   event "MS-SQL Slammer Worm Activity"
>   payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/
>   }
> 
> signature slammer4 {
>   ip-proto == udp
>   src-ip != 192.168.0.1/16 
>   dst-ip == 192.168.0.1/16 
>   dst-port == 1434
>   event "W32.SQLEXP.Wormpropagation"
>   payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/
>   payload /\x04/
>   }
> 
> signature slammer5 {
>   ip-proto == udp
>   src-ip != 192.168.0.1/16 
>   dst-ip == 192.168.0.1/16 
>   dst-port == 1434
>   event "MS-SQL Slammer WormActivity"
>   payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
>   }
> ----- cut ------------------------------------------------------------
> 
> 
> Robin
> 
> -- 
> Robin Sommer * Room        01.08.055 * www.net.in.tum.de
> TU Munich    * Phone (089) 289-18006 *  sommer at in.tum.de 
>

More information about the Bro mailing list