05-22-2002 09:15 AM - edited 03-08-2019 10:43 PM
Could anyone share a possible string match entry to alarm on the SQL worm that's in the wild? Thanks a bunch.
05-22-2002 11:35 AM
The following is a screen shot of SigWizMenu:
This will detect the 'worm' that is using a default sa account.
Current Signature: Engine STRING.TCP SIGID 20000
SigName: Default sa account access
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - LimitSummary =
7 - MaxInspectLength = 160
8 - MinHits = 1
9 - MinMatchLength =
10 - MultipleHits =
11 * RegexString = [Ss][\x00]?[Aa][\x00]?[\x20-\x7f]
12 - ResetAfterIdle = 15
13 - ServicePorts = 1433
14 - SigComment =
15 - SigName = Default sa account access
16 - SigStringInfo =
17 - StripTelnetOptions =
18 - ThrottleInterval = 15
19 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
___________________________________________________________________________
05-22-2002 12:01 PM
Would you be able to create a string sig in CSPM (using the RegexString value above) and push the update to the your sensors instead of going through SigWizMenu?
05-23-2002 06:24 AM
Yes you could use the old custom string function in this case, however with some of the more specific signatures written in SILVER that will not always be possible. Please refer to the more recent post before creating your signature as we have released a better set of regular expressions for this WORM.
05-23-2002 07:24 AM
OK.
05-23-2002 11:36 AM
Where is SigWizMenu in 3.1.(2) S23? The only thing I can find is to add it thru IDM.
05-23-2002 11:50 AM
Yese, there is a SigWizMenu. It is deprecated, but can be found at
/usr/nr/bin/.SigWizMenu
Note the period before the command name.
05-23-2002 12:11 PM
oops, sorry, missed the dot prefix on the command
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide