cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
0
Helpful
7
Replies

String match for SQLspida ???

jballay
Level 1
Level 1

Could anyone share a possible string match entry to alarm on the SQL worm that's in the wild? Thanks a bunch.

7 Replies 7

anthall
Level 1
Level 1

The following is a screen shot of SigWizMenu:

This will detect the 'worm' that is using a default sa account.

Current Signature: Engine STRING.TCP SIGID 20000

SigName: Default sa account access

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 160

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [Ss][\x00]?[Aa][\x00]?[\x20-\x7f]

12 - ResetAfterIdle = 15

13 - ServicePorts = 1433

14 - SigComment =

15 - SigName = Default sa account access

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Would you be able to create a string sig in CSPM (using the RegexString value above) and push the update to the your sensors instead of going through SigWizMenu?

Yes you could use the old custom string function in this case, however with some of the more specific signatures written in SILVER that will not always be possible. Please refer to the more recent post before creating your signature as we have released a better set of regular expressions for this WORM.

OK.

dlac455
Level 1
Level 1

Where is SigWizMenu in 3.1.(2) S23? The only thing I can find is to add it thru IDM.

Yese, there is a SigWizMenu. It is deprecated, but can be found at

/usr/nr/bin/.SigWizMenu

Note the period before the command name.

oops, sorry, missed the dot prefix on the command

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: