RE: Did IDSes detect the SQL worm?

Our IDS sensors were extremely effective in detecting this activity, especially during the early stages without any specific sigs for Slammer. The real savior here was our noc staff who detected the rise in 1434 traffic, made the right contacts and did some initial research into the activity across the network. It was extremely helpful to start at such a granular level and not have to rely entirely on a pre-defined sig.

The end result was minimal impact. A few small scripts and pro-tem sigs were kept running until the vendors made available their slammer signatures.

Terence Runge
VERITAS Software Corporation

-----Original Message-----
From: Scott C. Kennedy [mailto:sck@infosyscorp.com] Sent: Friday, January 31, 2003 11:02 AM
To: Kurt Seifried
Cc: focus-ids@securityfocus.com
Subject: Re: Did IDSes detect the SQL worm?

We caught the first few hundred packets, verified firewall rulesets, and then called upstream to warn
our providers, and they were not aware of the problem until we called, so I'd say our
reaction due to the IDS systems was very positive. Within an hour we'd contacted most of
our customer base, all of the upstream providers, had tuned our IDS system to only alert
for out-bound worm packets and went back to watching the rest of the net panic while
the peers got slammed.

Kurt Seifried wrote:

>So it appears that a lot of IDS systems detected this worm and alerted
falling
>apart under the load of packets. Does anyone have a success story with

-- 
 Scott C. Kennedy
 Lead Security Architect/ Director of Security
 Infosys Corporation
 Work: (877) 772-2347
 PGP: 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102