alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"HELL-SQL Worm Scan";content:"|684765745466b96c6c|";classtype:attempted-admin;) alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "SQLSLAMMER"; content:"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm Activity";content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; sid:9994; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Wormpropagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|";content:"|04|"; offset:0; depth:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer WormActivity";content:"|81f10301049b81f101|"; classtype:bad-unknown; sid:9994; rev:1;) Swap external and home net to see both vectors for this worm. james
participants (1)
-
James-lists