Snort rules for "Sapphire" Worm

• Previous message (by thread): 13,000 Bank of America ATM's taken out by virus.
• Next message (by thread): final analysis of worm
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm
Scan";content:"|684765745466b96c6c|";classtype:attempted-admin;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER";
content:"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity";content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9994; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434
(msg:"W32.SQLEXP.Wormpropagation"; content:"|68 2E 64 6C 6C 68 65 6C 33
32 68 6B 65 72 6E|";content:"|04|"; offset:0; depth:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer
WormActivity";content:"|81f10301049b81f101|"; classtype:bad-unknown;
sid:9994; rev:1;)

Swap external and home net to see both vectors
for this worm.

james

• Previous message (by thread): 13,000 Bank of America ATM's taken out by virus.
• Next message (by thread): final analysis of worm
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]