Re: SQLSlammer Worm & IDSs

Andrew -

Prior even to the initial propagation of the worm, NFR NID detected exploitation of the underlying vulnerability and identified it as a "SQL Server stack overflow." Several major NFR customers sent us emails complimenting us on our foresight, as their NFR NID appliances have enabled them to detect this attack since August, 2002. Still, our Rapid Response Team responded the day of the outbreak, releasing an updated version of the package that indentified the worm by its new name and included some tuning variables to help reduce the number of alerts generated by the incoming onslaught from other, more vulnerable sites. From my perspective, this was remarkably reminiscent of the Nimda epidemic, and it is another testament to the value of advanced hybrid intrusion detection solutions.

-MAB

--

Michael A Barkett
VP, Systems Engineering
NFR Security, Inc.
5 Choke Cherry Road, Rockville, MD 20850 Phone: 240.747.3478 Fax: 240.632.0202

• Original Message ----- From: "Andrew Plato" <aplato@anitian.com> To: <crime@cs.pdx.edu>; <focus-ids@securityfocus.com> Sent: Tuesday, January 28, 2003 5:49 PM Subject: SQLSlammer Worm & IDSs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am curious what people were seeing with SQL Slammer and their IDSs. I've been collecting anecdotal evidence that Slammer flew right past a lot of IDSs.

I know that Snort and BlackICE just reported UDP port probes. Snort got a sig early Saturday morning however. RealSecure sensors had a signature in September that seemed to worked.

I am curious what anybody running Cisco's IDS, Symantec Manhunt, Enterasys Dragon, NFR, Intruvert, or any other IDS saw. Was it identified as a worm or just a port probe?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

What has me concerned is that the smallness of this worm made it look like nothing more than a UDP probe. As such, a lot of IDSs didn't consider this a very important event, since a UDP port probe is a pretty common event on any network.

503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

iD8DBQE+NwjfRFTPAXEeGWkRAoYjAJ9YQ4Y5zrWtbukdw1sAp2bhyFkoIACfZkdl ev2MhAeNBwJaoTEXZDG+/mk==cGis
-----END PGP SIGNATURE-----
Received on Fri Jan 31 11:28:45 2003