[flow-tools] w32.sqlexp.worm

[McDonald, Dan]

In case anyone needs it, here is the flow-tools nfilter that I've found to
match the worm that hit us...

filter-primitive mssql
  type ip-port
  permit 1434
  default deny

filter-primitive wormsize
   type counter
   permit eq 404
   default deny

filter theworm
   match src-ip-port mssql
   match octets wormsize

that with a flow-print -f 5 gave me the time of the first infection...

Daniel J McDonald, CCIE #2495, CNX
Lan/Wan Integrator
Austin Energy
1.512.322.6739
dan.mcdonald@austinenergy.com