RE: SQLSlammer Worm & IDSs

From: Zach Forsyth (Zach.Forsyth@kiandra.com)
Date: 01/30/03

Next message: Stone Cold: "Re: Active response... some thoughts."

Previous message: Shaiful: "Re: Snort-Inline and worm containment"
Maybe in reply to: Andrew Plato: "SQLSlammer Worm & IDSs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Jan 2003 14:27:54 +1100
From: "Zach Forsyth" <Zach.Forsyth@kiandra.com>
To: "Andrew Plato" <aplato@anitian.com>

I have a cisco 4210 for testing at the moment.

I am unaware of how the Cisco IDS appliance handled it before the sig
update.
The reason for this is the limited abilities of the Event monitor that
comes with the product.
You can't filter by source or destination port unfortunately - and
definitely can't do any reporting without purchasing ciscoworks :(

Can't be bothered looking through all the events to find it. Sorry...

Cisco now reports it as:

Unkown-4701

And that is with the sig update released on the 26th.
There is no sig update for the event monitor, so I would assume when a
sig update for the event monitor is released it will see it properly.

-----Original Message-----
From: Andrew Plato [mailto:aplato@anitian.com]
Sent: Wednesday, 29 January 2003 9:49 AM
To: crime@cs.pdx.edu; focus-ids@securityfocus.com
Subject: SQLSlammer Worm & IDSs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs.
I've been collecting anecdotal evidence that Slammer flew right past a
lot of IDSs.

I know that Snort and BlackICE just reported UDP port probes. Snort got
a sig early Saturday morning however. RealSecure sensors had a signature
in September that seemed to worked.

I am curious what anybody running Cisco's IDS, Symantec Manhunt,
Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it
identified as a worm or just a port probe?

What has me concerned is that the smallness of this worm made it look
like nothing more than a UDP probe. As such, a lot of IDSs didn't
consider this a very important event, since a UDP port probe is a pretty
common event on any network.

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----

Next message: Stone Cold: "Re: Active response... some thoughts."
Previous message: Shaiful: "Re: Snort-Inline and worm containment"
Maybe in reply to: Andrew Plato: "SQLSlammer Worm & IDSs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]