|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: SQLSlammer Worm & IDSs
Date: Wed Jan 29 2003 - 14:47:52 EST
Andrew,
FYI, I'm running a Dragon installation at home as well as on some customer sites, and all of them reported the worm as a MS-SQL:REG-STACK event with CVE and bugtraq references describing the attack.
### Thierry ###
"To name a thing is not the same as 'to know a thing.'"
Richard Feynman
-----Original Message-----
From: Andrew Plato [mailto:aplato@anitian.com]
Sent: mardi 28 janvier 2003 23:49
To: crime@cs.pdx.edu; focus-ids@securityfocus.com
Subject: SQLSlammer Worm & IDSs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs.
I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked.
I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe?
What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network.
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile
www.anitian.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13
iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl
ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----
Received on Fri Jan 31 11:05:00 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:08 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |