MS-SQL Slammer Signature

["soc.sql" <soc.sql () vigilantminds com>]

Rule:

alert UDP any any -> any 1434 (msg:"SQL Slammer Worm"; rev:1;
content:"|726e51686f756e746869636b43684765|";)

Summary:

The recent network traffic targeting UDP port 1434 has been recently
identified as the Microsoft SQL Slammer worm.  It propagates over UDP
port 1434, the Microsoft SQL Monitoring port.  Using crafted packets,
the worm exploits a buffer overflow in the monitoring service
implementation to infect the host.  Currently, this worm is extremely
wide-spread.

Impact:

Once infected, the host will simply continue propagation of the worm.
No distributed denial of service, backdoor, or destructive functionality
exists with this worm, but the amount of traffic it can generate is
capable of causing network outages.

False Positives:  Unknown

False Negatives:  Unknown

Corrective Action:
Firewall UDP port 1434 and disable the service if not in use.  Be
certain that your SQL servers are fully patched.  A reboot of an
infected SQL server will remove the worm, but if the server is still
vulnerable after the reboot and the proper firewall configurations have
not been made, it will most likely be infected again.   
Microsoft has a patch for vulnerable SQL Servers at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

Contributors:  VigilantMinds http://www.vigilantminds.com 412-661-5700