slammer

Jordan K Wiens jwiens at nersp.nerdc.ufl.edu
Wed Jan 29 06:04:43 PST 2003 

However from a practical point of view, the hex matching at the bottom is
probably much better.  It might result in more false positives, however, it
will (unaltered) catch more variants of the worm than the other signatures
will.

On a different ids we run, for example, we had an existing signature long
before the worm that matched /04/(ANY 60 bytes of padding) that was created
for the original exploit and detected the worm without any modification.
Very convienant.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Wed, 29 Jan 2003, Jukka JUSLIN wrote:

>
> Which one is better, the hexa or clear text payload matching? I suppose
> the hexa is at least faster and all standard snort signatures are matching
> hexadecimal. I just looked at your signatures and the first one was the
> cleartext, it didn't work for me with snort.
>
> Jukka
>
> On Wed, 29 Jan 2003, Robin Sommer wrote:
>
> >
> > On Mon, Jan 27, 2003 at 17:59 -0600, Ayyasamy, Senthilkumar  (UMKC-Student) wrote:
> >
> > > Is slammer worm's signature added to Bro?
> >
> > Using snort2bro, I've converted some of the various Snort
> > signatures flyring around to Bro's syntax (of course, you've to
> > replace 192.168.0.1/16 with your subnet(s)):
> >
> > ----- cut ------------------------------------------------------------
> > signature slammer1 {
> >   ip-proto == udp
> >   src-ip == 192.168.0.1/16
> >   dst-ip != 192.168.0.1/16
> >   dst-port == 1434
> >   event "SQLSLAMMER"
> >   payload /.*dllhel32hkernQhounthickChGetTf/
> >   }
> >
> > signature slammer2 {
> >   ip-proto == udp
> >   src-ip != 192.168.0.1/16
> >   dst-ip == 192.168.0.1/16
> >   dst-port == 1434
> >   event "HELL-SQL Worm Scan"
> >   payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/
> >   }
> >
> > signature slammer3 {
> >   ip-proto == udp
> >   src-ip != 192.168.0.1/16
> >   dst-ip == 192.168.0.1/16
> >   dst-port == 1434
> >   event "MS-SQL Slammer Worm Activity"
> >   payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/
> >   }
> >
> > signature slammer4 {
> >   ip-proto == udp
> >   src-ip != 192.168.0.1/16
> >   dst-ip == 192.168.0.1/16
> >   dst-port == 1434
> >   event "W32.SQLEXP.Wormpropagation"
> >   payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/
> >   payload /\x04/
> >   }
> >
> > signature slammer5 {
> >   ip-proto == udp
> >   src-ip != 192.168.0.1/16
> >   dst-ip == 192.168.0.1/16
> >   dst-port == 1434
> >   event "MS-SQL Slammer WormActivity"
> >   payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
> >   }
> > ----- cut ------------------------------------------------------------
> >
> >
> > Robin
> >
> > --
> > Robin Sommer * Room        01.08.055 * www.net.in.tum.de
> > TU Munich    * Phone (089) 289-18006 *  sommer at in.tum.de
> >
>
>

More information about the Bro mailing list