Re: Did IDSes detect the SQL worm?

From: Bandar Alzaaidi <alzaaidi(at)hotmail.com>
Date: Thu Jan 30 2003 - 15:27:13 EST

Todd,

Symantec ManHunt can detect it

---

ManHunt Protocol Anomaly Detection technology detects the traffic generated by this threat as a UDP flood. To specifically detect this threat as W32.SQLExp.Worm, Symantec recommends that users of the ManHunt product activate the HYBRID MODE function and apply the following custom rule:

*******************start file********************

#
#Variables need to be set dependent on the users network. Below are examples on how to set
# variable. For more information see ManHunt Administrative Guide: Appendix A.

#
#var EXTERNAL_NET 192.168.1.0/24
#
#
#

var EXTERNAL_NET any
var HOME_NET any

#
#
#

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;)

*************EOF*********************

http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

-Bandar

>From: Todd Heberlein <todd_heberlein@mac.com>
>To: focus-ids@securityfocus.com
>Subject: Did IDSes detect the SQL worm?
>Date: Tue, 28 Jan 2003 15:41:40 -0800
>
>Much has been made about the fact that the vulnerability exploited by the

---

Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Received on Fri Jan 31 12:22:20 2003