Re: BlackICE & SQL Slammer

From: Duane Arnold (notme@notme.com)
Date: 01/29/03


From: "Duane Arnold" <notme@notme.com>
Date: Wed, 29 Jan 2003 17:38:57 GMT

I appreciate your comments on this and anyone who really knows what you're
talking about knows that it has nothing to do with a *patch*. It's a nice
tip and I do hope you post every now and then with some more tips -- my eyes
are open.

I do think that it's kind of funny that I don't see anyone else making this
kind of post on a tip on how to control a firewall product.

I am not putting down the rest of the products, but it does show the
difference between BlackIce or any of ISS's IDS systems and the *rest*.

There are four types of the following:

1) Someone who has heard about BID wrongly -- due to *Gibson*.
2) Someone who has tried BID and had no *clue*.
3) Someone who has tried BID and doesn't understand how it really works.
4) Someone who is using BID and don't know how to use BID to its fullest
capabilities

I consider myself a number 4 and I got some more learning to do and I am
pretty damn good with using the product.

Like I said, I appreciate it and keep things on a positive note. BlackIce is
one of the best -- plain and simple.

Duane :)

--
The protection of the machine is a process and is not a given!
"Alexander Delarge" <alex@nowhere.com> wrote in message
news:AWKZ9.76180$rM2.43835@rwcrnsc53...
> Just got this tonight from the company we hire for security work. its
> instructions on how to make blackice respond automatically to SQL Slammer.
> thought I'd share it with the newsgroup. it comes from Andrew Plato, the
> blackice guru.
>
> ------------------
>
> Security Notification
> Configuration to allow BlackICE to Detect and Respond to SQL Slammer
> (AKA: Sapphire)
>
> Many BlackICE users have contacted me regarding the recent SQL
> Slammer worm and its effects. Currently, BlackICE is only reporting
> SQL Slammer as a UDP port probe. This is due to the extremely small
> size of the Slammer worm. It is contained within a single UDP
> datagram. RealSecure Network Sensor users have a signature that was
> available in September of 2002 that detected this worm. However,
> BlackICE had not gotten that update, yet.
>
> Anitian has devised a configuration fix that will allow your BlackICE
> agents (Sentry, Guard, Server, and Workstation) detect and respond to
> the recent SQL Slammer worm. This configuration will cause the
> BlackICE software to identify UDP probes on port 1434 as a "Code Red
> II+" and then block the IP address of the offending system
> automatically.
>
> Obviously SQL Slammer is not a Code Red attack, but we choose this
> signature because this signature initiates an immediate firewall
> block from the offending IP address. This doesn't mean your system
> will be entirely safe, but it will prevent additional compromise and
> block the attacker for an hour.
>
> NOTE: This configuration is not endorsed by Internet Security Systems
> (yet).
>
> - - From BlackICE Local Console
>
> 1. Stop the BlackICE service.
> 2. Locate the sigs.ini file in the directory where BlackICE is
> installed.
> 3. Right-click on this file and uncheck the read-only option.
> 4. Open this file in Notepad, or other such text editor.
> 5. Insert the following line
>
>        udpprobe.2004603.1434=SQLSlammer
>
> 6. Save the file.
> 7. Once saved, return the file to read-only.
>
> - - From ICEcap
>
> You will need to repeat these steps for every IDS configuration where
> you wish to deploy this signature modification.
>
> 1. Logon to ICEcap.
> 2. Go to the IDS Configuration Policy Element and click on Edit for
> the IDS configuration where you wish to make this change.
> 3. Click on Custom.
> 4. Click Add Parameter.
> 5. In the NAME box enter: udpprobe.2004603.1434
> 6. In the VALUE box enter: SQLSlammer
> 7. Enter anything you want in the Comments box.
> 8. Click Save Settings
>
> If you wish to use a different signature, one that will not initiate
> a firewall block, you might consider Worm Extensions (signature ID:
> 2002209). Replace this signature ID with the 2004603 in the above
> examples.
>
> If you are filtering UDP port 1434 at your border firewall or you
> have BlackICE in Paranoid mode, you should remain unaffected by this
> worm. In paranoid mode, BlackICE blocks all upper UDP ports by
> default.
>
>


Relevant Pages

  • BlackICE & SQL Slammer
    ... instructions on how to make blackice respond automatically to SQL Slammer. ... Configuration to allow BlackICE to Detect and Respond to SQL Slammer ... RealSecure Network Sensor users have a signature that was ... Anitian has devised a configuration fix that will allow your BlackICE ...
    (comp.security.firewalls)
  • Re: BlackICE & SQL Slammer
    ... > instructions on how to make blackice respond automatically to SQL Slammer. ... RealSecure Network Sensor users have a signature that was ... > Anitian has devised a configuration fix that will allow your BlackICE ...
    (comp.security.firewalls)
  • Re: BlackICE & SQL Slammer
    ... all unsolicited inbound 1434,1433 UDP, TCP traffic gets blocked? ... > instructions on how to make blackice respond automatically to SQL Slammer. ... > Anitian has devised a configuration fix that will allow your BlackICE ...
    (comp.security.firewalls)
  • Re: Zone Alarm versus Sygate
    ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
    (comp.security.firewalls)
  • Re: Intrusion Detection
    ... agent can automatically apply a defense response to all other agents, ... > I have never used the RealSecure product by ISS, but the BlackIce Agent ... > and a new IDS component placed in the FW application ... > Sygate is using a Signature Analysis IDS engine. ...
    (comp.security.firewalls)