2003-01-26(Sun)

_ SQL slammer

ピークは土曜午後だったようだが、snortのルールを足してみた。

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg: "SQLSLAMMER"; \
content:  "dll hel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

まだまだ来てるみたい。

[**] [1:0:0] SQLSLAMMER [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
01/26-14:22:34.150921 218.104.34.138:1910 -> 61.198.194.230:1434
UDP TTL:113 TOS:0x0 ID:7575 IpLen:20 DgmLen:404
Len: 384
[**] [1:0:0] SQLSLAMMER [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
01/26-14:26:52.113520 200.39.150.252:4803 -> 61.198.194.230:1434
UDP TTL:105 TOS:0x0 ID:29706 IpLen:20 DgmLen:404
Len: 384
[**] [1:0:0] SQLSLAMMER [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
01/26-14:27:31.161685 128.248.171.51:1320 -> 61.198.194.230:1434
UDP TTL:106 TOS:0x0 ID:3067 IpLen:20 DgmLen:404
Len: 384
[ツッコミを入れる]
This Diary is Running on tDiary.Net 2nd. Powered by fdiary.net
Generated by tDiary version 1.5.4.20030602
Powered by Ruby version 1.6.8