BlackICE & SQL Slammer
From: Alexander Delarge (alex@nowhere.com)
Date: 01/29/03
- Next message: Armin Krawinkel: "Re: When I log a user off in Windows XP Pro. Ed, does Zonealarm still protect me?"
- Previous message: Duane Arnold: "Re: Beware of Zone Labs & Zone Alarm Pro"
- Next in thread: Stupified: "Re: BlackICE & SQL Slammer"
- Reply: Stupified: "Re: BlackICE & SQL Slammer"
- Reply: Duane Arnold: "Re: BlackICE & SQL Slammer"
- Reply: neo techopolis: "Re: BlackICE & SQL Slammer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alexander Delarge" <alex@nowhere.com> Date: Wed, 29 Jan 2003 06:56:32 GMT
Just got this tonight from the company we hire for security work. its
instructions on how to make blackice respond automatically to SQL Slammer.
thought I'd share it with the newsgroup. it comes from Andrew Plato, the
blackice guru.
------------------
Security Notification
Configuration to allow BlackICE to Detect and Respond to SQL Slammer
(AKA: Sapphire)
Many BlackICE users have contacted me regarding the recent SQL
Slammer worm and its effects. Currently, BlackICE is only reporting
SQL Slammer as a UDP port probe. This is due to the extremely small
size of the Slammer worm. It is contained within a single UDP
datagram. RealSecure Network Sensor users have a signature that was
available in September of 2002 that detected this worm. However,
BlackICE had not gotten that update, yet.
Anitian has devised a configuration fix that will allow your BlackICE
agents (Sentry, Guard, Server, and Workstation) detect and respond to
the recent SQL Slammer worm. This configuration will cause the
BlackICE software to identify UDP probes on port 1434 as a "Code Red
II+" and then block the IP address of the offending system
automatically.
Obviously SQL Slammer is not a Code Red attack, but we choose this
signature because this signature initiates an immediate firewall
block from the offending IP address. This doesn't mean your system
will be entirely safe, but it will prevent additional compromise and
block the attacker for an hour.
NOTE: This configuration is not endorsed by Internet Security Systems
(yet).
- - From BlackICE Local Console
1. Stop the BlackICE service.
2. Locate the sigs.ini file in the directory where BlackICE is
installed.
3. Right-click on this file and uncheck the read-only option.
4. Open this file in Notepad, or other such text editor.
5. Insert the following line
udpprobe.2004603.1434=SQLSlammer
6. Save the file.
7. Once saved, return the file to read-only.
- - From ICEcap
You will need to repeat these steps for every IDS configuration where
you wish to deploy this signature modification.
1. Logon to ICEcap.
2. Go to the IDS Configuration Policy Element and click on Edit for
the IDS configuration where you wish to make this change.
3. Click on Custom.
4. Click Add Parameter.
5. In the NAME box enter: udpprobe.2004603.1434
6. In the VALUE box enter: SQLSlammer
7. Enter anything you want in the Comments box.
8. Click Save Settings
If you wish to use a different signature, one that will not initiate
a firewall block, you might consider Worm Extensions (signature ID:
2002209). Replace this signature ID with the 2004603 in the above
examples.
If you are filtering UDP port 1434 at your border firewall or you
have BlackICE in Paranoid mode, you should remain unaffected by this
worm. In paranoid mode, BlackICE blocks all upper UDP ports by
default.
- Next message: Armin Krawinkel: "Re: When I log a user off in Windows XP Pro. Ed, does Zonealarm still protect me?"
- Previous message: Duane Arnold: "Re: Beware of Zone Labs & Zone Alarm Pro"
- Next in thread: Stupified: "Re: BlackICE & SQL Slammer"
- Reply: Stupified: "Re: BlackICE & SQL Slammer"
- Reply: Duane Arnold: "Re: BlackICE & SQL Slammer"
- Reply: neo techopolis: "Re: BlackICE & SQL Slammer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
