slammer

Zeek
1

Is slammer worm's signature added to Bro?
If not, how to go about adding? or any
clue about its signature?

2

The signature of slammer is quite straightforward, see the packet captures
from securityfocus. Snort had ready and tested signatures available since
Saturday.

Jukka

3

Using snort2bro, I've converted some of the various Snort
signatures flyring around to Bro's syntax (of course, you've to
replace 192.168.0.1/16 with your subnet(s)):

----- cut ------------------------------------------------------------
signature slammer1 {
  ip-proto == udp
  src-ip == 192.168.0.1/16
  dst-ip != 192.168.0.1/16
  dst-port == 1434
  event "SQLSLAMMER"
  payload /.*dllhel32hkernQhounthickChGetTf/
  }

signature slammer2 {
  ip-proto == udp
  src-ip != 192.168.0.1/16
  dst-ip == 192.168.0.1/16
  dst-port == 1434
  event "HELL-SQL Worm Scan"
  payload /.*\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c/
  }

signature slammer3 {
  ip-proto == udp
  src-ip != 192.168.0.1/16
  dst-ip == 192.168.0.1/16
  dst-port == 1434
  event "MS-SQL Slammer Worm Activity"
  payload /.*\x04\x01\x01\x01\x01\x01\x01\x01/
  }

signature slammer4 {
  ip-proto == udp
  src-ip != 192.168.0.1/16
  dst-ip == 192.168.0.1/16
  dst-port == 1434
  event "W32.SQLEXP.Wormpropagation"
  payload /.*\x68\x2E\x64\x6C\x6C\x68\x65\x6C\x33\x32\x68\x6B\x65\x72\x6E/
  payload /\x04/
  }

signature slammer5 {
  ip-proto == udp
  src-ip != 192.168.0.1/16
  dst-ip == 192.168.0.1/16
  dst-port == 1434
  event "MS-SQL Slammer WormActivity"
  payload /.*\x81\xf1\x03\x01\x04\x9b\x81\xf1\x01/
  }
----- cut ------------------------------------------------------------

Robin

4

Which one is better, the hexa or clear text payload matching? I suppose
the hexa is at least faster and all standard snort signatures are matching
hexadecimal. I just looked at your signatures and the first one was the
cleartext, it didn't work for me with snort.

Jukka

5

At least from Bro's point of view, there's no difference between
giving patterns in clear text or hex.

Robin

6

However from a practical point of view, the hex matching at the bottom is
probably much better. It might result in more false positives, however, it
will (unaltered) catch more variants of the worm than the other signatures
will.

On a different ids we run, for example, we had an existing signature long
before the worm that matched /04/(ANY 60 bytes of padding) that was created
for the original exploit and detected the worm without any modification.
Very convienant.