Greg Saunders wrote:
Hey folks,
How can I identify the SQL slammer if I am capturing all the packets on
my switch through a monitoring port? What specifics should I look for…
is there a filter or something to spot this?
I've seen Martin's reply, and would agree installing Snort would be a
simpler solution than trying to get Ethereal to pick them out.
The Snort rules for CVE CAN-2002-0649 a.k.a. Slammer a.k.a Saphire are:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm
propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04
9B 81 F1 01|"; content:"
sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311;
reference:cve,2002-0649;
reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:mis
c-attack; sid:2003; rev:6;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm
propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1
03 01 04 9B 81 F1|"; con
tent:"sock"; content:"send"; reference:bugtraq,5310;
reference:bugtraq,5311; reference:cve,2002-0649;
reference:url,vil.nai.com/vil/content/v_99992.htm; classty
pe:misc-attack; sid:2004; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version
overflow attempt"; dsize:>100; content:"|04|"; depth:1;
reference:bugtraq,5310; reference:cve
,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050;
rev:5;)
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who