[Bro] Sasser Policy?

[Mike Hsiao]

Hi,

Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
And the policy script blaster.bro can detects instances of the W32.Blaster.

Is there any policy that can be used for detecting Sasser?
Or any other scanning policy can capture the scanning event of Sasser worm?
I would like to understand how (or what approaches) Bro to detect Sasser.

Any help will be appreciated, thanks.

Regards,
Mike