Hosting Provided By

SQLSlammer Worm & IDSs

From: Andrew Plato <aplato(at)anitian.com>
Date: Tue Jan 28 2003 - 17:49:21 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs.

I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked.

I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe?

What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network.

Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile

www.anitian.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----
Received on Wed Jan 29 13:28:25 2003

This message: [ Message body ]
Next message: Cathleen_M_Brackin(at)bankone.com: "RE: Did IDSes detect the SQL worm?"
Previous message: Sangram: "Re: Active response... some thoughts."
In reply to Adriano Ribeiro: "Re: which IDS"
Next in thread: Thierry Evangelista: "RE: SQLSlammer Worm & IDSs"
Reply: Thierry Evangelista: "RE: SQLSlammer Worm & IDSs"
Reply: Talisker: "Re: SQLSlammer Worm & IDSs"
Reply: Mike Barkett: "Re: SQLSlammer Worm & IDSs"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT

Do you need help?