Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

String match for SQLspida ???

Could anyone share a possible string match entry to alarm on the SQL worm that's in the wild? Thanks a bunch.

7 REPLIES
Community Member

Re: String match for SQLspida ???

The following is a screen shot of SigWizMenu:

This will detect the 'worm' that is using a default sa account.

Current Signature: Engine STRING.TCP SIGID 20000

SigName: Default sa account access

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength = 160

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = [Ss][\x00]?[Aa][\x00]?[\x20-\x7f]

12 - ResetAfterIdle = 15

13 - ServicePorts = 1433

14 - SigComment =

15 - SigName = Default sa account access

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Community Member

Re: String match for SQLspida ???

Would you be able to create a string sig in CSPM (using the RegexString value above) and push the update to the your sensors instead of going through SigWizMenu?

Cisco Employee

Re: String match for SQLspida ???

Yes you could use the old custom string function in this case, however with some of the more specific signatures written in SILVER that will not always be possible. Please refer to the more recent post before creating your signature as we have released a better set of regular expressions for this WORM.

Community Member

Re: String match for SQLspida ???

OK.

Community Member

Re: String match for SQLspida ???

Where is SigWizMenu in 3.1.(2) S23? The only thing I can find is to add it thru IDM.

Bronze

Re: String match for SQLspida ???

Yese, there is a SigWizMenu. It is deprecated, but can be found at

/usr/nr/bin/.SigWizMenu

Note the period before the command name.

Community Member

Re: String match for SQLspida ???

oops, sorry, missed the dot prefix on the command

103
Views
0
Helpful
7
Replies
CreatePlease to create content